0004809: Security vulnerability in DWG import when using ODA file converter

2021-12-28 16:15:42 +01:00
parent 260a40f133
commit d538872eb2
1 changed files with 8 additions and 12 deletions
--- a/src/Mod/Draft/importDWG.py
+++ b/src/Mod/Draft/importDWG.py
@@ -44,8 +44,6 @@ https://knowledge.autodesk.com/support/autocad/downloads/
 # *                                                                         *
 # ***************************************************************************

-# TODO: use subprocess.popen() instead of subprocess.call()
-
 import six
 import FreeCAD
 from FreeCAD import Console as FCC
@@ -216,13 +214,10 @@ def convertToDxf(dwgfilename):
            indir = os.path.dirname(dwgfilename)
            outdir = tempfile.mkdtemp()
            basename = os.path.basename(dwgfilename)
-            cmdline = ('"%s" "%s" "%s" "ACAD2000" "DXF" "0" "1" "%s"' % (teigha, indir, outdir, basename))
-            FCC.PrintMessage(translate("draft", "Converting:") + " " + cmdline + "\n")
-            if six.PY2:
-                if isinstance(cmdline, six.text_type):
-                    encoding = sys.getfilesystemencoding()
-                    cmdline = cmdline.encode(encoding)
-            subprocess.call(cmdline, shell=True)  # os.system(cmdline)
+            cmdline = [teigha, indir, outdir, "ACAD2000", "DXF", "0", "1", basename]
+            FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
+            proc = subprocess.Popen(cmdline)
+            proc.communicate()
            result = outdir + os.sep + os.path.splitext(basename)[0] + ".dxf"
            if os.path.exists(result):
                FCC.PrintMessage(translate("draft", "Conversion successful") + "\n")
@@ -291,9 +286,10 @@ def convertToDwg(dxffilename, dwgfilename):
            indir = os.path.dirname(dxffilename)
            outdir = os.path.dirname(dwgfilename)
            basename = os.path.basename(dxffilename)
-            cmdline = ('"%s" "%s" "%s" "ACAD2000" "DWG" "0" "1" "%s"' % (teigha, indir, outdir, basename))
-            FCC.PrintMessage(translate("draft", "Converting:") + " " + cmdline + "\n")
-            subprocess.call(cmdline, shell=True)  # os.system(cmdline)
+            cmdline = [teigha, indir, outdir, "ACAD2000", "DWG", "0", "1", basename]
+            FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
+            proc = subprocess.Popen(cmdline)
+            proc.communicate()
            return dwgfilename
        else:
            if conv != 0: