[poppler] pdftohtml lets you run random shell commands

Fabio D'Urso fabiodurso at hotmail.it
Mon Apr 23 13:10:27 PDT 2012

On Monday, April 23, 2012 07:10:05 PM Albert Astals Cid wrote:
> El Dilluns, 23 d'abril de 2012, a les 12:35:46, William Bader va escriure:
> > Would it be safer to call one of the exec() functions instead of
> > system()?
> Of course it is, it is what my patch does. Actually as my initial mail i
> don't think quoting is a valid fix, so i'm voting for exec()+whatever
> window has in turn of exec or direct removal.

On windows, the command line is just a string. Therefore, arguments must still
be escaped. And escaping rules for CreateProcess are different than escaping
rules for the cmd shell...

I'm attaching a patch (to be applied on top of Albert's initial one) that
implements the executeCommand on win32


 CreateProcess function
 Parsing C Command-Line Arguments
-------------- next part --------------
A non-text attachment was scrubbed...
Name: win32-executeCommand.patch
Type: text/x-patch
Size: 2062 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20120423/7a03ee3f/attachment.bin>

More information about the poppler mailing list