[poppler] pdftohtml lets you run random shell commands
Fabio D'Urso
fabiodurso at hotmail.it
Mon Apr 23 13:10:27 PDT 2012
On Monday, April 23, 2012 07:10:05 PM Albert Astals Cid wrote:
> El Dilluns, 23 d'abril de 2012, a les 12:35:46, William Bader va escriure:
> > Would it be safer to call one of the exec() functions instead of
> > system()?
>
> Of course it is, it is what my patch does. Actually as my initial mail i
> don't think quoting is a valid fix, so i'm voting for exec()+whatever
> window has in turn of exec or direct removal.
On windows, the command line is just a string. Therefore, arguments must still
be escaped. And escaping rules for CreateProcess are different than escaping
rules for the cmd shell...
I'm attaching a patch (to be applied on top of Albert's initial one) that
implements the executeCommand on win32
Fabio
References
CreateProcess function
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx
Parsing C Command-Line Arguments
http://msdn.microsoft.com/en-us/library/a1y7w461.aspx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: win32-executeCommand.patch
Type: text/x-patch
Size: 2062 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20120423/7a03ee3f/attachment.bin>
More information about the poppler
mailing list