From 1742d7ff82af1653253c4a4183c262c9af3b26d6 Mon Sep 17 00:00:00 2001
From: wmayer <wmayer@users.sourceforge.net>
Date: Tue, 28 Dec 2021 16:15:42 +0100
Subject: [PATCH] 0004809: Security vulnerability in DWG import when using ODA
 file converter

---
 src/Mod/Draft/importDWG.py | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/src/Mod/Draft/importDWG.py b/src/Mod/Draft/importDWG.py
index 05d4787111de..23372bfee940 100644
--- a/src/Mod/Draft/importDWG.py
+++ b/src/Mod/Draft/importDWG.py
@@ -44,8 +44,6 @@
 # *                                                                         *
 # ***************************************************************************
 
-# TODO: use subprocess.popen() instead of subprocess.call()
-
 import six
 import FreeCAD
 from FreeCAD import Console as FCC
@@ -216,13 +214,10 @@ def convertToDxf(dwgfilename):
             indir = os.path.dirname(dwgfilename)
             outdir = tempfile.mkdtemp()
             basename = os.path.basename(dwgfilename)
-            cmdline = ('"%s" "%s" "%s" "ACAD2000" "DXF" "0" "1" "%s"' % (teigha, indir, outdir, basename))
-            FCC.PrintMessage(translate("draft", "Converting:") + " " + cmdline + "\n")
-            if six.PY2:
-                if isinstance(cmdline, six.text_type):
-                    encoding = sys.getfilesystemencoding()
-                    cmdline = cmdline.encode(encoding)
-            subprocess.call(cmdline, shell=True)  # os.system(cmdline)
+            cmdline = [teigha, indir, outdir, "ACAD2000", "DXF", "0", "1", basename]
+            FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
+            proc = subprocess.Popen(cmdline)
+            proc.communicate()
             result = outdir + os.sep + os.path.splitext(basename)[0] + ".dxf"
             if os.path.exists(result):
                 FCC.PrintMessage(translate("draft", "Conversion successful") + "\n")
@@ -291,9 +286,10 @@ def convertToDwg(dxffilename, dwgfilename):
             indir = os.path.dirname(dxffilename)
             outdir = os.path.dirname(dwgfilename)
             basename = os.path.basename(dxffilename)
-            cmdline = ('"%s" "%s" "%s" "ACAD2000" "DWG" "0" "1" "%s"' % (teigha, indir, outdir, basename))
-            FCC.PrintMessage(translate("draft", "Converting:") + " " + cmdline + "\n")
-            subprocess.call(cmdline, shell=True)  # os.system(cmdline)
+            cmdline = [teigha, indir, outdir, "ACAD2000", "DWG", "0", "1", basename]
+            FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
+            proc = subprocess.Popen(cmdline)
+            proc.communicate()
             return dwgfilename
         else:
             if conv != 0: