0004809: Security vulnerability in DWG import when using ODA file con…

…verter
FreeCAD · Dec 28, 2021 · 1742d7f · 1742d7f
1 parent af3e510
commit 1742d7f
Showing 1 changed file with 8 additions and 12 deletions.
diff --git a/src/Mod/Draft/importDWG.py b/src/Mod/Draft/importDWG.py
@@ -44,8 +44,6 @@
 # *                                                                         *
 # ***************************************************************************
 
-# TODO: use subprocess.popen() instead of subprocess.call()
-
 import six
 import FreeCAD
 from FreeCAD import Console as FCC
@@ -216,13 +214,10 @@ def convertToDxf(dwgfilename):
             indir = os.path.dirname(dwgfilename)
             outdir = tempfile.mkdtemp()
             basename = os.path.basename(dwgfilename)
-            cmdline = ('"%s" "%s" "%s" "ACAD2000" "DXF" "0" "1" "%s"' % (teigha, indir, outdir, basename))
-            FCC.PrintMessage(translate("draft", "Converting:") + " " + cmdline + "\n")
-            if six.PY2:
-                if isinstance(cmdline, six.text_type):
-                    encoding = sys.getfilesystemencoding()
-                    cmdline = cmdline.encode(encoding)
-            subprocess.call(cmdline, shell=True)  # os.system(cmdline)
+            cmdline = [teigha, indir, outdir, "ACAD2000", "DXF", "0", "1", basename]
+            FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
+            proc = subprocess.Popen(cmdline)
+            proc.communicate()
             result = outdir + os.sep + os.path.splitext(basename)[0] + ".dxf"
             if os.path.exists(result):
                 FCC.PrintMessage(translate("draft", "Conversion successful") + "\n")
@@ -291,9 +286,10 @@ def convertToDwg(dxffilename, dwgfilename):
             indir = os.path.dirname(dxffilename)
             outdir = os.path.dirname(dwgfilename)
             basename = os.path.basename(dxffilename)
-            cmdline = ('"%s" "%s" "%s" "ACAD2000" "DWG" "0" "1" "%s"' % (teigha, indir, outdir, basename))
-            FCC.PrintMessage(translate("draft", "Converting:") + " " + cmdline + "\n")
-            subprocess.call(cmdline, shell=True)  # os.system(cmdline)
+            cmdline = [teigha, indir, outdir, "ACAD2000", "DWG", "0", "1", basename]
+            FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
+            proc = subprocess.Popen(cmdline)
+            proc.communicate()
             return dwgfilename
         else:
             if conv != 0: