Skip to content

Commit

Permalink
0004809: Security vulnerability in DWG import when using ODA file con…
Browse files Browse the repository at this point in the history 
…verter

manual backport of commit 1742d7f
  • Loading branch information
@donovaly
donovaly committed Jan 3, 2022
1 parent b163041 commit ad6977f
Showing 1 changed file with 8 additions and 11 deletions.
19 changes: 8 additions & 11 deletions src/Mod/Draft/importDWG.py
View file
Expand Up @@ -44,8 +44,6 @@
# * *
# ***************************************************************************

# TODO: use subprocess.popen() instead of subprocess.call()

import six
import FreeCAD
from FreeCAD import Console as FCC
Expand Down Expand Up @@ -217,10 +215,10 @@ def convertToDxf(dwgfilename):
indir = os.path.dirname(dwgfilename)
outdir = tempfile.mkdtemp()
basename = os.path.basename(dwgfilename)
cmdline = ('"%s" "%s" "%s" "ACAD2000" "DXF" "0" "1" "%s"'
% (teigha, indir, outdir, basename))
FCC.PrintMessage(translate("ImportDWG", "Converting: ")
+ cmdline + "\n")
cmdline = [teigha, indir, outdir, "ACAD2000", "DXF", "0", "1", basename]
FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
proc = subprocess.Popen(cmdline)
proc.communicate()
if six.PY2:
if isinstance(cmdline, six.text_type):
encoding = sys.getfilesystemencoding()

This comment has been minimized.

Sign in to view

Copy link
@epozuelo

epozuelo Aug 17, 2022

I don't think it poses an issue as cmdline is now a list, but two lines below this, the original subprocess.call method call is still there, when it should have been removed in this backport. Also maybe the subprocess.Popen call should happen after cmdline is encoded (which is buggy as well, as it's now attempting to encode a list)
Expand Down Expand Up @@ -270,10 +268,9 @@ def convertToDwg(dxffilename, dwgfilename):
indir = os.path.dirname(dxffilename)
outdir = os.path.dirname(dwgfilename)
basename = os.path.basename(dxffilename)
cmdline = ('"%s" "%s" "%s" "ACAD2000" "DWG" "0" "1" "%s"'
% (teigha, indir, outdir, basename))
FCC.PrintMessage(translate("ImportDWG", "Converting: ")
+ cmdline + "\n")
subprocess.call(cmdline, shell=True) # os.system(cmdline)
cmdline = [teigha, indir, outdir, "ACAD2000", "DWG", "0", "1", basename]
FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
proc = subprocess.Popen(cmdline)
proc.communicate()
return dwgfilename
return None

0 comments on commit ad6977f

Please sign in to comment.