From: dirk Date: Sat, 11 Oct 2014 19:13:34 +0000 (+0000) Subject: Added '(' and ')' to the whitelist of SanitizeSystemCommand. X-Git-Tag: 7.0.1-0~1900 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f2a43401803a4dfa2c76ecdeffa5bbd590ee7235;p=imagemagick Added '(' and ')' to the whitelist of SanitizeSystemCommand. Removed SanitizeDelegateCommand because this is already done by SystemCommand. --- diff --git a/MagickCore/delegate.c b/MagickCore/delegate.c index d355fa62d..9f166d607 100644 --- a/MagickCore/delegate.c +++ b/MagickCore/delegate.c @@ -893,30 +893,6 @@ static MagickBooleanType CopyDelegateFile(const char *source, return(IsMagickTrue(i!=0)); } -static char *SanitizeDelegateCommand(const char *command) -{ - char - *sanitize_command; - - const char - *q; - - register char - *p; - - static char - whitelist[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_- " - ".@&;<>|/\\\'\":%=~"; - - sanitize_command=AcquireString(command); - p=sanitize_command; - q=sanitize_command+strlen(sanitize_command); - for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) - *p='_'; - return(sanitize_command); -} - MagickExport MagickBooleanType InvokeDelegate(ImageInfo *image_info, Image *image,const char *decode,const char *encode,ExceptionInfo *exception) { @@ -1120,16 +1096,11 @@ MagickExport MagickBooleanType InvokeDelegate(ImageInfo *image_info, command=InterpretImageProperties(image_info,image,commands[i],exception); if (command != (char *) NULL) { - char - *sanitize_command; - /* Execute delegate. */ - sanitize_command=SanitizeDelegateCommand(command); status=IsMagickTrue(SystemCommand(delegate_info->spawn, - image_info->verbose,sanitize_command,exception) != 0); - sanitize_command=DestroyString(sanitize_command); + image_info->verbose,command,exception) != 0); if (IfMagickTrue(delegate_info->spawn)) { ssize_t diff --git a/MagickCore/utility.c b/MagickCore/utility.c index a8b280763..a88d00327 100644 --- a/MagickCore/utility.c +++ b/MagickCore/utility.c @@ -1932,7 +1932,7 @@ static char *SanitizeSystemCommand(const char *command) static char whitelist[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_- " - ".@&;<>|/\\\'\":%=~"; + ".@&;<>()|/\\\'\":%=~"; sanitize_command=AcquireString(command); p=sanitize_command;