Fix shell injection via specially crafted filenames in filter and clo…

…ck code
varietywalls · Sep 19, 2017 · 6572223 · 6572223
1 parent 475a5e0
commit 6572223
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/variety/VarietyWindow.py b/variety/VarietyWindow.py
@@ -41,6 +41,7 @@
 import re
 import urlparse
 import webbrowser
+import pipes
 from PIL import Image as PILImage
 
 # Replacement for shutil.which, which (no pun intended) only exists on Python 3.3+
@@ -1161,7 +1162,7 @@ def build_imagemagick_filter_cmd(self, filename, target_file):
 
         w = Gdk.Screen.get_default().get_width()
         h = Gdk.Screen.get_default().get_height()
-        cmd = 'convert "%s" -scale %dx%d^ ' % (filename, w, h)
+        cmd = 'convert %s -scale %dx%d^ ' % (pipes.quote(filename), w, h)
 
         logger.info(lambda: "Applying filter: " + filter)
         cmd += filter + ' '
@@ -1179,7 +1180,7 @@ def build_imagemagick_clock_cmd(self, filename, target_file):
 
         w = Gdk.Screen.get_default().get_width()
         h = Gdk.Screen.get_default().get_height()
-        cmd = 'convert "%s" -scale %dx%d^ ' % (filename, w, h)
+        cmd = 'convert %s -scale %dx%d^ ' % (pipes.quote(filename), w, h)
 
         hoffset, voffset = Util.compute_trimmed_offsets(Util.get_size(filename), (w, h))
         clock_filter = self.options.clock_filter