Hi,
First thank you for your work.
In UnixPlatform.class, command arguements are escaped using double quotes, but, it's not safe, a better way is using escapeshellarg(). In addition, with escapeshellargs, it's become safe mode/ exec_dir patch compatible.
You can found in attachment the patch.
Hope it will be include in the next release
Regards
Cédric
escape shell args
The quoting is not for escaping, but to make sure that we handle spaces properly. All commands are genereated internally using non-user-supplied data. As far as I know, this is not a security issue so I'll rename it appropriately. If you know of a specific flaw related to this, please escalate again. Otherwise, since development has ceased on Gallery 2 we'll leave it the way it is.