From: pabs <pabs@1f10aa63-cdf2-0310-b900-c93c546f37ac>
Date: Fri, 7 Dec 2007 05:34:05 +0000 (+0000)
Subject: Security fix: the mod_imagemagick importer used system to run convert, change it... 
X-Git-Url: https://git.pterodactylus.net/?a=commitdiff_plain;h=37aab4b94303b25f08338f1f2bb40395a487bf02;p=synfig.git

Security fix: the mod_imagemagick importer used system to run convert, change it to use fork and exec. Malicious sif files could previously have executed arbitrary shell commands.

git-svn-id: http://svn.voria.com/code@1187 1f10aa63-cdf2-0310-b900-c93c546f37ac
---

diff --git a/synfig-core/trunk/src/modules/mod_imagemagick/mptr_imagemagick.cpp b/synfig-core/trunk/src/modules/mod_imagemagick/mptr_imagemagick.cpp
index 2481d06..4d7ca20 100644
--- a/synfig-core/trunk/src/modules/mod_imagemagick/mptr_imagemagick.cpp
+++ b/synfig-core/trunk/src/modules/mod_imagemagick/mptr_imagemagick.cpp
@@ -34,6 +34,9 @@
 #include <ETL/stringf>
 #include "mptr_imagemagick.h"
 #include <stdio.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
 #include <algorithm>
 #include <functional>
 #include <ETL/stringf>
@@ -77,11 +80,6 @@ imagemagick_mptr::get_frame(synfig::Surface &surface,Time /*time*/, synfig::Prog
 //#define HAS_LIBPNG 1
 
 #if 1
-	if(file)
-		pclose(file);
-
-	string command;
-
 	if(filename.empty())
 	{
 		if(cb)cb->error(_("No file to load"));
@@ -89,15 +87,27 @@ imagemagick_mptr::get_frame(synfig::Surface &surface,Time /*time*/, synfig::Prog
 		return false;
 	}
 	string temp_file="/tmp/deleteme.png";
+	string output="png32:"+temp_file;
 
-	if(filename.find("psd")!=String::npos)
-		command=strprintf("convert \"%s\" -flatten \"png32:%s\"\n",filename.c_str(),temp_file.c_str());
-	else
-		command=strprintf("convert \"%s\" \"png32:%s\"\n",filename.c_str(),temp_file.c_str());
-
-	synfig::info("command=%s",command.c_str());
+	pid_t pid = fork();
+  
+	if (pid == -1) {
+		return false;
+	}
+  
+	if (pid == 0){
+		// Child process
+		if(filename.find("psd")!=String::npos)
+			execlp("convert", "convert", filename.c_str(), "-flatten", output.c_str(), (const char *)NULL);
+		else
+			execlp("convert", "convert", filename.c_str(), output.c_str(), (const char *)NULL);
+		// We should never reach here unless the exec failed
+		return false;
+	}
 
-	if(system(command.c_str())!=0)
+	int status;
+	waitpid(pid, &status, 0);
+	if( (WIFEXITED(status) && WEXITSTATUS(status) != 0) || !WIFEXITED(status) )
 		return false;
 
 	Importer::Handle importer(Importer::open(temp_file));