python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-28 02:04:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

Prevent shell injection in load_djpeg

Browse Source
This commit is contained in:
Michael Brown 2014-06-25 21:34:16 -04:00
parent 5e3bf95c84
commit cd7b45994b
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
PIL/JpegImagePlugin.py
View File

@ -34,12 +34,18 @@
__version__ = "0.6" __version__ = "0.6"
import sys
import array import array
import struct import struct
from PIL import Image, ImageFile, _binary from PIL import Image, ImageFile, _binary
from PIL.JpegPresets import presets from PIL.JpegPresets import presets
from PIL._util import isStringType from PIL._util import isStringType
if sys.version_info >= (3, 3):
from shlex import quote
else:
from pipes import quote
i8 = _binary.i8 i8 = _binary.i8
o8 = _binary.o8 o8 = _binary.o8
i16 = _binary.i16be i16 = _binary.i16be
@ -359,7 +365,7 @@ class JpegImageFile(ImageFile.ImageFile):
f, path = tempfile.mkstemp() f, path = tempfile.mkstemp()
os.close(f) os.close(f)
if os.path.exists(self.filename): if os.path.exists(self.filename):
os.system("djpeg '%s' >'%s'" % (self.filename, path)) os.system("djpeg %s > '%s'" % (quote(self.filename), path))
else: else:
raise ValueError("Invalid Filename") raise ValueError("Invalid Filename")