From cd7b45994b1b1a016a29401d7ab3faf9b7c7d054 Mon Sep 17 00:00:00 2001
From: Michael Brown <mbrown1413@gmail.com>
Date: Wed, 25 Jun 2014 21:34:16 -0400
Subject: [PATCH] Prevent shell injection in load_djpeg

---
 PIL/JpegImagePlugin.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/PIL/JpegImagePlugin.py b/PIL/JpegImagePlugin.py
index 1d300fc04..8a06cf5a5 100644
--- a/PIL/JpegImagePlugin.py
+++ b/PIL/JpegImagePlugin.py
@@ -34,12 +34,18 @@
 
 __version__ = "0.6"
 
+import sys
 import array
 import struct
 from PIL import Image, ImageFile, _binary
 from PIL.JpegPresets import presets
 from PIL._util import isStringType
 
+if sys.version_info >= (3, 3):
+    from shlex import quote
+else:
+    from pipes import quote
+
 i8 = _binary.i8
 o8 = _binary.o8
 i16 = _binary.i16be
@@ -359,7 +365,7 @@ class JpegImageFile(ImageFile.ImageFile):
         f, path = tempfile.mkstemp()
         os.close(f)
         if os.path.exists(self.filename):
-            os.system("djpeg '%s' >'%s'" % (self.filename, path))
+            os.system("djpeg %s > '%s'" % (quote(self.filename), path))
         else:
             raise ValueError("Invalid Filename")