kindred/create
1
1
Fork 0
Code Issues 30 Pull Requests Actions Packages Projects 9 Releases 2 Wiki Activity

fix further file names vulnerabilities in core system and Image module

Browse Source
This commit is contained in:
wmayer
2019-10-02 15:07:13 +02:00
parent bed78b0b7b
commit d2be4f115d
3 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/Mod/Image/Gui/Command.cpp
View File

@@ -25,6 +25,7 @@
#endif
#include <Base/Exception.h>
#include <Base/Tools.h>
#include <Base/Interpreter.h>
#include <App/Document.h>
#include <Gui/Application.h>
@@ -75,7 +76,8 @@ void CmdImageOpen::activated(int iMsg)
QString s = QFileDialog::getOpenFileName(Gui::getMainWindow(), QObject::tr("Choose an image file to open"),
QString::null, formats);
if (!s.isEmpty()) {
try{
try {
s = Base::Tools::escapeEncodeFilename(s);
// load the file with the module
Command::doCommand(Command::Gui, "import Image, ImageGui");
#if PY_MAJOR_VERSION < 3
@@ -148,9 +150,11 @@ void CmdCreateImagePlane::activated(int iMsg)
height = height * 1000 / yPixelsPerM;
int nHeight = static_cast<int>(height+0.5);
QString pyfile = Base::Tools::escapeEncodeFilename(s);
openCommand("Create ImagePlane");
doCommand(Doc,"App.activeDocument().addObject('Image::ImagePlane','%s\')",FeatName.c_str());
doCommand(Doc,"App.activeDocument().%s.ImageFile = '%s'",FeatName.c_str(),(const char*)s.toUtf8());
doCommand(Doc,"App.activeDocument().%s.ImageFile = '%s'",FeatName.c_str(),(const char*)pyfile.toUtf8());
doCommand(Doc,"App.activeDocument().%s.XSize = %d",FeatName.c_str(),nWidth);
doCommand(Doc,"App.activeDocument().%s.YSize = %d",FeatName.c_str(),nHeight);
doCommand(Doc,"App.activeDocument().%s.Placement = App.Placement(App.Vector(%f,%f,%f),App.Rotation(%f,%f,%f,%f))"