Security: Avoid wrapping commands in double quotes as escapeshellarg() does not escape them from args

2 years ago · 841a07396f
parent e864127a44
commit 841a07396f
3 changed files with 9 additions and 12 deletions
--- a/main/lp/openoffice_presentation.class.php
+++ b/main/lp/openoffice_presentation.class.php
@ -253,11 +253,10 @@ class OpenofficePresentation extends OpenofficeDocument
            $this->slide_height = (int) $h;
        }

-        return ' -w '.$this->slide_width.' -h '.$this->slide_height.' -d oogie "'
+        return ' -w '.$this->slide_width.' -h '.$this->slide_height.' -d oogie '
            .Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)
-            .'"  "'
-            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'.html')
-            .'"';
+            .'  '
+            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'.html');
    }

    public function set_slide_size($width, $height)
--- a/main/lp/openoffice_text.class.php
+++ b/main/lp/openoffice_text.class.php
@ -331,11 +331,10 @@ class OpenofficeText extends OpenofficeDocument
     */
    public function add_command_parameters()
    {
-        return ' -d woogie "'
+        return ' -d woogie '
            .Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)
-            .'"  "'
-            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html')
-            .'"';
+            .'  '
+            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html');
    }

    /**
--- a/main/lp/openoffice_text_document.class.php
+++ b/main/lp/openoffice_text_document.class.php
@ -333,11 +333,10 @@ class OpenOfficeTextDocument extends OpenofficeDocument
     */
    public function add_command_parameters()
    {
-        return ' -d woogie "'
+        return ' -d woogie '
            .Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)
-            .'"  "'
-            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html')
-            .'"';
+            .'  '
+            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html');
    }

    /**