fix further file names vulnerabilities in modules

src/Mod/Drawing/Gui/Command.cpp

@@ -22,6 +22,7 @@
 
 #include <vector>
 
+#include <Base/Tools.h>
 #include <App/PropertyGeo.h>
 
 #include <Gui/Action.h>
@@ -72,6 +73,7 @@ void CmdDrawingOpen::activated(int iMsg)
         QString::fromLatin1("%1 (*.svg *.svgz)").arg(QObject::tr("Scalable Vector Graphic")));
     if (!filename.isEmpty())
     {
+        filename = Base::Tools::escapeEncodeFilename(filename);
         // load the file with the module
         Command::doCommand(Command::Gui, "import Drawing, DrawingGui");
 #if PY_MAJOR_VERSION < 3
@@ -108,9 +110,10 @@ void CmdDrawingNewPage::activated(int iMsg)
 
     QFileInfo tfi(a->property("Template").toString());
     if (tfi.isReadable()) {
+        QString filename = Base::Tools::escapeEncodeFilename(tfi.filePath());
         openCommand("Create page");
         doCommand(Doc,"App.activeDocument().addObject('Drawing::FeaturePage','%s')",FeatName.c_str());
-        doCommand(Doc,"App.activeDocument().%s.Template = '%s'",FeatName.c_str(), (const char*)tfi.filePath().toUtf8());
+        doCommand(Doc,"App.activeDocument().%s.Template = '%s'",FeatName.c_str(), (const char*)filename.toUtf8());
         doCommand(Doc,"App.activeDocument().recompute()");
         doCommand(Doc,"Gui.activeDocument().getObject('%s').show()",FeatName.c_str());
         commitCommand();
@@ -595,6 +598,7 @@ void CmdDrawingSymbol::activated(int iMsg)
     {
         std::string PageName = pages.front()->getNameInDocument();
         std::string FeatName = getUniqueObjectName("Symbol");
+        filename = Base::Tools::escapeEncodeFilename(filename);
         openCommand("Create Symbol");
         doCommand(Doc,"import Drawing");
 #if PY_MAJOR_VERSION < 3
@@ -657,6 +661,7 @@ void CmdDrawingExportPage::activated(int iMsg)
 
         doCommand(Doc,"PageFile = open(App.activeDocument().%s.PageResult,'r')",Sel[0].FeatName);
         std::string fname = (const char*)fn.toUtf8();
+        fname = Base::Tools::escapeEncodeFilename(fname);
 #if PY_MAJOR_VERSION < 3
         doCommand(Doc,"OutFile = open(unicode(\"%s\",'utf-8'),'w')",fname.c_str());
 #else

src/Mod/Import/Gui/Command.cpp

@@ -26,6 +26,7 @@
 #endif
 
 #include <Base/Exception.h>
+#include <base/Tools.h>
 #include <App/Document.h>
 #include <Gui/Application.h>
 #include <Gui/MainWindow.h>
@@ -63,6 +64,7 @@ void FCCmdImportReadBREP::activated(int iMsg)
         return;
     }
 
+    fn = Base::Tools::escapeEncodeFilename(fn);
     doCommand(Doc,"TopoShape = Import.ReadBREP(\"%s\")",(const char*)fn.toUtf8());
     commitCommand();
 }
@@ -97,6 +99,7 @@ void ImportStep::activated(int iMsg)
     if (!fn.isEmpty()) {
         openCommand("Part ImportSTEP Create");
         doCommand(Doc,"f = App.document().addObject(\"ImportStep\",\"ImportStep\")");
+        fn = Base::Tools::escapeEncodeFilename(fn);
         doCommand(Doc,"f.FileName = \"%s\"",(const char*)fn.toUtf8());
         commitCommand();
         updateActive();
@@ -136,6 +139,7 @@ void ImportIges::activated(int iMsg)
     if (!fn.isEmpty()) {
         openCommand("ImportIGES Create");
         doCommand(Doc,"f = App.document().addObject(\"ImportIges\",\"ImportIges\")");
+        fn = Base::Tools::escapeEncodeFilename(fn);
         doCommand(Doc,"f.FileName = \"%s\"",(const char*)fn.toUtf8());
         commitCommand();
         updateActive();

src/Mod/Raytracing/Gui/Command.cpp

@@ -252,6 +252,7 @@ void CmdRaytracingWriteView::activated(int)
     if (fn.isEmpty())
         return;
     std::string cFullName = (const char*)fn.toUtf8();
+    cFullName = strToPython(cFullName);
 
 
     // get all objects of the active document
@@ -556,6 +557,7 @@ void CmdRaytracingExportProject::activated(int)
 
         doCommand(Doc,"PageFile = open(App.activeDocument().%s.PageResult,'r')",Sel[0].FeatName);
         std::string fname = (const char*)fn.toUtf8();
+        fname = strToPython(fname);
 #if PY_MAJOR_VERSION < 3
         doCommand(Doc,"OutFile = open(unicode('%s','utf-8'),'w')",fname.c_str());
 #else