Shell command injection when saving to an image format
Brought to you by:
ra28145
Menu
▾
▴
#233 Shell command injection when saving to an image format
When saving a scan to a PNG image and typing a file name with an ampersand character into to file save dialog, saving fails because the ampersand character is interpreted by a shell. This is a debug output when using 'sed & awk' file name:
DEBUG - Started saving /tmp/sed & awk.png
INFO - convert /tmp/gscan2pdf-hkyZ/Guv2RgScVh.pnm -density 50 /tmp/sed\ &\ awk.png
sh: awk.png: command not found
ERROR - Error saving image
DEBUG - Finished saving /tmp/sed & awk.png
Also JPEG image suffers from the same error. Saving PDF of DjVu is fine.
Tested with latest 1.5.5 as well as with 1.3.9.
I can see the _thread_save_image() function escapes some characters (not the ampersand) and then it calls
my $status = system "echo $PROCESS_ID > $pidfile;$cmd";
Executing commands via shell is wrong because you cannot never know how user's shell behave, what are the meta characters etc. You should IPC::Run3 or similar help to avoid it. It would also allow to capture error output, so that you can display it to the user in the GUI.
Attached patch implements it for saving into images.
I spottted more system() calls in the Document.pm. I did not touch them.
I use IPC::Open3 to wrap scanimage calls, but I hadn't appreciated the fact that it then removes the need to escape special characters from the shell.
Thanks for the patch. I've committed it and you'll see it in the next release.