From 511117eba1f7ff8b2878dba6b1dd204ae5098448 Mon Sep 17 00:00:00 2001 From: Marius Gavrilescu Date: Sun, 23 Feb 2014 21:15:06 +0200 Subject: [PATCH] Escape theme name before passing it to system(3) --- .../patches/escape-theme-name-in-system.patch | 63 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 64 insertions(+) create mode 100644 debian/patches/escape-theme-name-in-system.patch diff --git a/debian/patches/escape-theme-name-in-system.patch b/debian/patches/escape-theme-name-in-system.patch new file mode 100644 index 0000000..1ebbfa9 --- /dev/null +++ b/debian/patches/escape-theme-name-in-system.patch @@ -0,0 +1,63 @@ +Description: Escape theme name before passing it to system(3) +Bug-Debian: https://bugs.debian.org/739709 +Author: Marius Gavrilescu +Forwarded: no +Last-Update: 2014-02-23 + +--- a/main.c ++++ b/main.c +@@ -808,27 +808,51 @@ + } + } + ++static gchar *shell_escape (gchar *arg) ++{ ++ gchar *out; ++ gint n; ++ ++ out = g_new(gchar, strlen(arg) * 2 + 1); ++ n = 0; ++ for(;*arg;arg++) ++ { ++ if(*arg == '\'') ++ { ++ out[n++] = '\''; ++ out[n++] = '\\'; ++ out[n++] = '\''; ++ } ++ out[n++] = *arg; ++ } ++ out[n] = 0; ++ ++ return out; ++ } ++ + static short install_tarball (gchar *path, gchar **rc_file) + { +- gchar *command, *themedir; ++ gchar *command, *themedir, *escaped_path; + gint result; + GList *new_list, *new_theme; + + themedir = g_strdup_printf ("%s/.themes", homedir); ++ escaped_path = shell_escape (path); + + if (path[0] != '/') + { + gchar *cwd = g_get_current_dir(); +- command = g_strdup_printf ("tar --directory %s -xzf %s/%s 2>/dev/null", themedir, cwd, path); ++ command = g_strdup_printf ("tar --directory %s -xzf %s/'%s' 2>/dev/null", themedir, cwd, escaped_path); + g_free (cwd); + } + else +- command = g_strdup_printf ("tar --directory %s -xzf %s 2>/dev/null", themedir, path); ++ command = g_strdup_printf ("tar --directory %s -xzf '%s' 2>/dev/null", themedir, escaped_path); + + /* Ensure that ~/.themes exists */ + mkdir (themedir, S_IRUSR | S_IWUSR | S_IXUSR); + + result = system(command); ++ g_free (escaped_path); + g_free (command); + g_free (themedir); + if (result != EXIT_SUCCESS) diff --git a/debian/patches/series b/debian/patches/series index 7039fe6..720ceef 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ fix-spelling.patch exit-cleanly-when-we-have-no-homedir.patch +escape-theme-name-in-system.patch -- 2.39.2