kindred/create
1
1
Fork 0
Code Issues 53 Pull Requests Actions Packages Projects 9 Releases 2 Wiki Activity

fix further file names vulnerabilities in core system and Image module

Browse Source
This commit is contained in:
wmayer
2019-10-02 15:07:13 +02:00
parent bed78b0b7b
commit d2be4f115d
3 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/App/Application.cpp
View File

@@ -2057,6 +2057,8 @@ std::list<std::string> Application::processFiles(const std::list<std::string>& f
std::vector<std::string> mods = App::GetApplication().getImportModules(ext.c_str());
if (!mods.empty()) {
std::string escapedstr = Base::Tools::escapedUnicodeFromUtf8(file.filePath().c_str());
escapedstr = Base::Tools::escapeEncodeFilename(escapedstr);
Base::Interpreter().loadModule(mods.front().c_str());
Base::Interpreter().runStringArg("import %s",mods.front().c_str());
Base::Interpreter().runStringArg("%s.open(u\"%s\")",mods.front().c_str(),
@@ -2107,6 +2109,8 @@ void Application::processCmdLineFiles(void)
std::map<std::string,std::string>::const_iterator it = cfg.find("SaveFile");
if (it != cfg.end()) {
std::string output = it->second;
output = Base::Tools::escapeEncodeFilename(output);
Base::FileInfo fi(output);
std::string ext = fi.extension();
try {
@@ -2452,7 +2456,7 @@ void Application::ParseOptions(int ac, char ** av)
if (vm.count("help")) {
std::stringstream str;
str << mConfig["ExeName"] << endl << endl;
str << "For a detailed description see https://www.freecadweb.org/wiki/Start_up_and_Configuration" << endl<<endl;
str << "For a detailed description see https://www.freecadweb.org/wiki/Start_up_and_Configuration" << endl<<endl;
str << "Usage: " << mConfig["ExeName"] << " [options] File1 File2 ..." << endl << endl;
str << visible << endl;
throw Base::ProgramInformation(str.str());

7
src/Gui/Document.cpp
View File

@@ -1043,6 +1043,7 @@ bool Document::saveAs(void)
try {
Gui::WaitCursor wc;
std::string escapedstr = Base::Tools::escapedUnicodeFromUtf8(fn.toUtf8());
escapedstr = Base::Tools::escapeEncodeFilename(escapedstr);
Command::doCommand(Command::Doc,"App.getDocument(\"%s\").saveAs(u\"%s\")"
, DocName, escapedstr.c_str());
setModified(false);
@@ -1116,15 +1117,13 @@ bool Document::saveCopy(void)
QString::fromUtf8(getDocument()->FileName.getValue()),
QObject::tr("%1 document (*.FCStd)").arg(exe));
if (!fn.isEmpty()) {
QFileInfo fi;
fi.setFile(fn);
const char * DocName = App::GetApplication().getDocumentName(getDocument());
// save as new file name
Gui::WaitCursor wc;
QString pyfn = Base::Tools::escapeEncodeFilename(fn);
Command::doCommand(Command::Doc,"App.getDocument(\"%s\").saveCopy(\"%s\")"
, DocName, (const char*)fn.toUtf8());
, DocName, (const char*)pyfn.toUtf8());
return true;
}

8
src/Mod/Image/Gui/Command.cpp
View File

@@ -25,6 +25,7 @@
#endif
#include <Base/Exception.h>
#include <Base/Tools.h>
#include <Base/Interpreter.h>
#include <App/Document.h>
#include <Gui/Application.h>
@@ -75,7 +76,8 @@ void CmdImageOpen::activated(int iMsg)
QString s = QFileDialog::getOpenFileName(Gui::getMainWindow(), QObject::tr("Choose an image file to open"),
QString::null, formats);
if (!s.isEmpty()) {
try{
try {
s = Base::Tools::escapeEncodeFilename(s);
// load the file with the module
Command::doCommand(Command::Gui, "import Image, ImageGui");
#if PY_MAJOR_VERSION < 3
@@ -148,9 +150,11 @@ void CmdCreateImagePlane::activated(int iMsg)
height = height * 1000 / yPixelsPerM;
int nHeight = static_cast<int>(height+0.5);
QString pyfile = Base::Tools::escapeEncodeFilename(s);
openCommand("Create ImagePlane");
doCommand(Doc,"App.activeDocument().addObject('Image::ImagePlane','%s\')",FeatName.c_str());
doCommand(Doc,"App.activeDocument().%s.ImageFile = '%s'",FeatName.c_str(),(const char*)s.toUtf8());
doCommand(Doc,"App.activeDocument().%s.ImageFile = '%s'",FeatName.c_str(),(const char*)pyfile.toUtf8());
doCommand(Doc,"App.activeDocument().%s.XSize = %d",FeatName.c_str(),nWidth);
doCommand(Doc,"App.activeDocument().%s.YSize = %d",FeatName.c_str(),nHeight);
doCommand(Doc,"App.activeDocument().%s.Placement = App.Placement(App.Vector(%f,%f,%f),App.Rotation(%f,%f,%f,%f))"