Bug#408873: llgal: fails when directory names contain shell meta characters

Jeremie Koenig Sun, 28 Jan 2007 13:43:29 -0800

Package: llgal
Version: 0.13.9-1
Severity: normal
Tags: patch

Hello,


I get the following error when llgal tries to proceed a directory with
shell metacharacters:
------
  Entering subdirectory 'camping (presque) sauvage'...
    Listing entries in . :    100.00%
    Preparing entries:    100.00%
    Found 196 entries in directory photos/vince/camping (presque) sauvage/
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `rm -f photos/vince/camping (presque) sauvage/slide_*.html'
Failed to remove existing webpages.
------

This is caused by the following piece of code (llgal.in, line 1587):
------
# remove old webpages
system ("rm -f 
$self->{destination_dir}$opts->{slide_filenameprefix}*.$opts->{www_extension}") 
;
die "Failed to remove existing webpages.\n" if $? ;
------

I also noticed two similar problems with the generation of thumbnails
and scaled images (llgal.in, lines 597 and 690):
------
# scale down
my $cmdline = $opts->{thumbnail_create_command} ;
$cmdline =~ s/<IN>/\"$real_filename\"/g ;
$cmdline =~ s/<OUT>/\"$real_thumb_filename\"/g ;
($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' 
thumbnail ", $cmdline ) ;
------
If an image is called '";rm -rf /;.jpg', something bad is going to
happen :-P

I've fixed these problem with the attached patch.

Note that in the case of thumbnail/scaled image creation, my patch
changes the meaning of the {thumbnail,scaled}_create_command
configuration option, which is no longer processed by the shell, so you
may want to escape some characters in filenames instead, or warn the
user of the change if any shell metas are found in these commands.

Hope this helps, and thanks for your work on llgal!

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Versions of packages llgal depends on:
ii  imagemagick         7:6.2.4.5.dfsg1-0.13 Image manipulation programs
ii  libimage-size-perl  3.01-1               determine the size of images in se
ii  liblocale-gettext-p 1.05-1               Using libc functions for internati
ii  liburi-perl         1.35-2               Manipulates and accesses URI strin
ii  perl                5.8.8-7              Larry Wall's Practical Extraction 

Versions of packages llgal recommends:
pn  libimage-exiftool-perl        <none>     (no description available)

-- no debconf information

diff -ru llgal-0.13.9/llgal.in llgal-0.13.9.jk/llgal.in
--- llgal-0.13.9/llgal.in	2006-11-16 22:13:53.000000000 +0100
+++ llgal-0.13.9.jk/llgal.in	2007-01-28 15:32:43.000000000 +0100
@@ -595,10 +595,12 @@
 		$real_thumb_filename = $real_filename ;
 	    } else {
 		# scale down
-		my $cmdline = $opts->{thumbnail_create_command} ;
-		$cmdline =~ s/<IN>/\"$real_filename\"/g ;
-		$cmdline =~ s/<OUT>/\"$real_thumb_filename\"/g ;
-		($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' thumbnail", $cmdline ) ;
+		my @cmdline = map {
+			s/<IN>/$real_filename/g ;
+			s/<OUT>/$real_thumb_filename/g ;
+			$_ ;
+		} split (' ', $opts->{thumbnail_create_command}) ;
+		($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' thumbnail", @cmdline ) ;
 		if ($status == -1) {
 		    $messages->warning (@output) ;
 		    $messages->abort_percentage ;
@@ -688,10 +690,12 @@
 		    $real_scaled_filename = $real_filename ;
 		} else {
 		    # scale down
-		    my $cmdline = $opts->{scaled_create_command} ;
-		    $cmdline =~ s/<IN>/\"$real_filename\"/g ;
-		    $cmdline =~ s/<OUT>/\"$real_scaled_filename\"/g ;
-		    ($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' scaled image", $cmdline ) ;
+		    my @cmdline = map {
+			s/<IN>/$real_filename/g ;
+			s/<OUT>/$real_scaled_filename/g ;
+			$_ ;
+		    } split (' ', $opts->{scaled_create_command}) ;
+		    ($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' scaled image", @cmdline ) ;
 		    if ($status == -1) {
 			$messages->warning (@output) ;
 			$messages->abort_percentage ;
@@ -1585,9 +1589,14 @@
     my @entries = @{$gallery->{entries}} ;
 
     # remove old webpages
-    system ("rm -f $self->{destination_dir}$opts->{slide_filenameprefix}*.$opts->{www_extension}") ;
-    die "Failed to remove existing webpages.\n"
-	if $? ;
+    opendir DIR, $self->{destination_dir} ? $self->{destination_dir} : "./" ; # destination is empty for './'
+    while ($_ = readdir DIR ) {
+	if (/^$opts->{slide_filenameprefix}.*\.$opts->{www_extension}$/) {
+	    unlink "$self->{destination_dir}$_"
+		or die "Failed to remove existing webpage '$_' ($!).\n" ;
+	}
+    }
+    closedir DIR ;
 
     # find the slidetemplate
     my $slidetemplate = (Llgal::Templates::find_template_file ($self, $opts, $opts->{slidetemplate_filename}, 1))

Bug#408873: llgal: fails when directory names contain shell meta characters

Reply via email to