Prevent shell injection in load_djpeg

2025-01-13 18:56:17 +03:00 · 2014-06-25 21:34:16 -04:00 · 2014-06-25 21:34:16 -04:00 · cd7b45994b
commit cd7b45994b
parent 5e3bf95c84
1 changed files with 7 additions and 1 deletions
--- a/PIL/JpegImagePlugin.py
+++ b/PIL/JpegImagePlugin.py
@ -34,12 +34,18 @@

 __version__ = "0.6"

+import sys
 import array
 import struct
 from PIL import Image, ImageFile, _binary
 from PIL.JpegPresets import presets
 from PIL._util import isStringType

+if sys.version_info >= (3, 3):
+    from shlex import quote
+else:
+    from pipes import quote
+
 i8 = _binary.i8
 o8 = _binary.o8
 i16 = _binary.i16be
@ -359,7 +365,7 @@ class JpegImageFile(ImageFile.ImageFile):
        f, path = tempfile.mkstemp()
        os.close(f)
        if os.path.exists(self.filename):
-            os.system("djpeg '%s' >'%s'" % (self.filename, path))
+            os.system("djpeg %s > '%s'" % (quote(self.filename), path))
        else:
            raise ValueError("Invalid Filename")