% o exception: return any errors here.
%
*/
+
+static char *SanitizeSystemCommand(const char *command)
+{
+ char
+ *sanitize_command;
+
+ const char
+ *q;
+
+ register char
+ *p;
+
+ static char
+ whitelist[] =
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-"
+ ".@&;<>|\\\'\":%";
+
+ sanitize_command=AcquireString(command);
+ p=sanitize_command;
+ q=sanitize_command+strlen(sanitize_command);
+ for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
+ *p='_';
+ return(sanitize_command);
+}
+
MagickExport int SystemCommand(const MagickBooleanType asynchronous,
const MagickBooleanType verbose,const char *command,ExceptionInfo *exception)
{
char
**arguments,
- *shell_command;
+ *sanitize_command;
int
number_arguments,
(void) FormatLocaleFile(stderr,"%s\n",command);
(void) fflush(stderr);
}
- shell_command=(char *) command;
+ sanitize_command=SanitizeSystemCommand(command);
if (asynchronous != MagickFalse)
- {
- shell_command=AcquireString(command);
- (void) ConcatenateMagickString(shell_command,"&",MaxTextExtent);
- }
+ (void) ConcatenateMagickString(sanitize_command,"&",MaxTextExtent);
#if defined(MAGICKCORE_POSIX_SUPPORT)
#if !defined(MAGICKCORE_HAVE_EXECVP)
- status=system(shell_command);
+ status=system(sanitize_command);
#else
if ((asynchronous != MagickFalse) ||
- (strpbrk(shell_command,"&;<>|") != (char *) NULL))
- status=system(shell_command);
+ (strpbrk(sanitize_command,"&;<>|") != (char *) NULL))
+ status=system(sanitize_command);
else
{
pid_t
*/
child_pid=(pid_t) fork();
if (child_pid == (pid_t) -1)
- status=system(command);
+ status=system(sanitize_command);
else
if (child_pid == 0)
{
}
#endif
#elif defined(MAGICKCORE_WINDOWS_SUPPORT)
- status=NTSystemCommand(shell_command);
+ status=NTSystemCommand(sanitize_command);
#elif defined(macintosh)
- status=MACSystemCommand(shell_command);
+ status=MACSystemCommand(sanitize_command);
#elif defined(vms)
- status=system(shell_command);
+ status=system(sanitize_command);
#else
# error No suitable system() method.
#endif
if (status < 0)
(void) ThrowMagickException(exception,GetMagickModule(),DelegateError,
"FailedToExecuteCommand","`%s' (%d)",command,status);
- if (shell_command != command)
- shell_command=DestroyString(shell_command);
+ sanitize_command=DestroyString(sanitize_command);
for (i=0; i < (ssize_t) number_arguments; i++)
arguments[i]=DestroyString(arguments[i]);
arguments=(char **) RelinquishMagickMemory(arguments);
projects / imagemagick / commitdiff