Jeremie Koenig wrote:
> This is caused by the following piece of code (llgal.in, line 1587):
> ------
> # remove old webpages
> system ("rm -f
> $self->{destination_dir}$opts->{slide_filenameprefix}*.$opts->{www_extension}")
> ;
> die "Failed to remove existing webpages.\n" if $? ;
> ------
>
Thanks, I'll apply your fix right away.
> I also noticed two similar problems with the generation of thumbnails
> and scaled images (llgal.in, lines 597 and 690):
> ------
> # scale down
> my $cmdline = $opts->{thumbnail_create_command} ;
> $cmdline =~ s/<IN>/\"$real_filename\"/g ;
> $cmdline =~ s/<OUT>/\"$real_thumb_filename\"/g ;
> ($status, @output) = Llgal::Utils::system_with_output ( "create '$filename'
> thumbnail ", $cmdline ) ;
> ------
> If an image is called '";rm -rf /;.jpg', something bad is going to
> happen :-P
>
> I've fixed these problem with the attached patch.
>
> Note that in the case of thumbnail/scaled image creation, my patch
> changes the meaning of the {thumbnail,scaled}_create_command
> configuration option, which is no longer processed by the shell, so you
> may want to escape some characters in filenames instead, or warn the
> user of the change if any shell metas are found in these commands.
>
This case is supposed to be protected by double-quotes. Did you actually
see a problem occur there? Or did you just find a possible problem by
looking at the code?
> @@ -595,10 +595,12 @@
> $real_thumb_filename = $real_filename ;
> } else {
> # scale down
> - my $cmdline = $opts->{thumbnail_create_command} ;
> - $cmdline =~ s/<IN>/\"$real_filename\"/g ;
> - $cmdline =~ s/<OUT>/\"$real_thumb_filename\"/g ;
> - ($status, @output) = Llgal::Utils::system_with_output ( "create
> '$filename' thumbnail", $cmdline ) ;
> + my @cmdline = map {
> + s/<IN>/$real_filename/g ;
> + s/<OUT>/$real_thumb_filename/g ;
> + $_ ;
> + } split (' ', $opts->{thumbnail_create_command}) ;
>
I don't think this split will work if the image filename contains
spaces. I could use Text::ParseWords to split correctly. But if my
double-quotes are actually protecting the code well here, I won't do it
for now (I have to minimize the changes to get a chance of going into
Etch). I'll wait for you reply before fixing anything there.
Thanks a lot!
Brice
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
