Attachment #10340 for bug #33807

View | Details | Raw Unified | Return to bug 33807
Collapse All | Expand All




  int save_stderr = -1;
#endif

  /* If the user snuck `backquotes` or $(command) substitutions into the
     name, foil them.  */
  for (i = 0; i < strlen (cmd); i++) {
    if (cmd[i] == '`' || (cmd[i] == '$' && cmd[i+1] == '(')) {
      cmd[i] = '#';
    }
  }

  /* Tell the user we are running the script, so they have a clue as to
     what's going on if something messes up.  But if they asked to
     discard output, they probably don't want to see this, either.  */

    string args, cmd;
    const_string prog = spec.program;
    const_string arg_spec = spec.program_args;
    unsigned int i;

    if (format <= kpse_any_glyph_format)
      set_maketex_mag ();

    /* If the user snuck `backquotes` or $(command) substitutions etc
       into the name, foil them.
       Thwart ../ in file names too.
     */
    for (i = 0; i < strlen (base); i++) {
      char c = base[i];

      if (c == '.' && base[i+1] == '.' && base[i+2] == '/') {
        base[i] = base[i+1] = '_';
        continue;
      }
      
      if (('A' <= c && c <= 'Z')
       || ('a' <= c && c <= 'z')
       || ('0' <= c && c <= '9')
       || strchr("_-.", c))
        continue;
      base[i] = '#';
    }

    /* Here's an awful kludge: if the mode is `/', mktexpk recognizes
       it as a special case.  `kpse_prog_init' sets it to this in the
       first place when no mode is otherwise specified; this is so

Return to bug 33807

Lines 138-151 Link Here

(-)teTeX-src-beta-20020207/texk/kpathsea/tex-make.c.security (-8 / +21 lines)
138	int save_stderr = -1;	138	int save_stderr = -1;
139	#endif	139	#endif
140		140
141	/* If the user snuck `backquotes` or $(command) substitutions into the
142	name, foil them. */
143	for (i = 0; i < strlen (cmd); i++) {
144	if (cmd[i] == '`' \|\| (cmd[i] == '$' && cmd[i+1] == '(')) {
145	cmd[i] = '#';
146	}
147	}
148
149	/* Tell the user we are running the script, so they have a clue as to	141	/* Tell the user we are running the script, so they have a clue as to
150	what's going on if something messes up. But if they asked to	142	what's going on if something messes up. But if they asked to
151	discard output, they probably don't want to see this, either. */	143	discard output, they probably don't want to see this, either. */
Lines 259-268 Link Here
259	string args, cmd;	251	string args, cmd;
260	const_string prog = spec.program;	252	const_string prog = spec.program;
261	const_string arg_spec = spec.program_args;	253	const_string arg_spec = spec.program_args;
		254	unsigned int i;
262		255
263	if (format <= kpse_any_glyph_format)	256	if (format <= kpse_any_glyph_format)
264	set_maketex_mag ();	257	set_maketex_mag ();
265		258
		259	/* If the user snuck `backquotes` or $(command) substitutions etc
		260	into the name, foil them.
		261	Thwart ../ in file names too.
		262	*/
		263	for (i = 0; i < strlen (base); i++) {
		264	char c = base[i];
		265
		266	if (c == '.' && base[i+1] == '.' && base[i+2] == '/') {
		267	base[i] = base[i+1] = '_';
		268	continue;
		269	}
		270
		271	if (('A' <= c && c <= 'Z')
		272	\|\| ('a' <= c && c <= 'z')
		273	\|\| ('0' <= c && c <= '9')
		274	\|\| strchr("_-.", c))
		275	continue;
		276	base[i] = '#';
		277	}
		278
266	/* Here's an awful kludge: if the mode is `/', mktexpk recognizes	279	/* Here's an awful kludge: if the mode is `/', mktexpk recognizes
267	it as a special case. `kpse_prog_init' sets it to this in the	280	it as a special case. `kpse_prog_init' sets it to this in the
268	first place when no mode is otherwise specified; this is so	281	first place when no mode is otherwise specified; this is so