Security: Avoid wrapping commands in double quotes as escapeshellarg() does not escape them from args

ywarnier · ywarnier · commit 841a07396fed · 2023-09-21T15:06:17.000+02:00
diff --git a/main/lp/openoffice_presentation.class.php b/main/lp/openoffice_presentation.class.php
@@ -253,11 +253,10 @@ public function add_command_parameters()
             $this->slide_height = (int) $h;
         }
 
-        return ' -w '.$this->slide_width.' -h '.$this->slide_height.' -d oogie "'
+        return ' -w '.$this->slide_width.' -h '.$this->slide_height.' -d oogie '
             .Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)
-            .'"  "'
-            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'.html')
-            .'"';
+            .'  '
+            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'.html');
     }
 
     public function set_slide_size($width, $height)
diff --git a/main/lp/openoffice_text.class.php b/main/lp/openoffice_text.class.php
@@ -331,11 +331,10 @@ public function dealPerPage($header, $body)
      */
     public function add_command_parameters()
     {
-        return ' -d woogie "'
+        return ' -d woogie '
             .Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)
-            .'"  "'
-            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html')
-            .'"';
+            .'  '
+            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html');
     }
 
     /**
diff --git a/main/lp/openoffice_text_document.class.php b/main/lp/openoffice_text_document.class.php
@@ -333,11 +333,10 @@ public function dealPerPage($header, $body)
      */
     public function add_command_parameters()
     {
-        return ' -d woogie "'
+        return ' -d woogie '
             .Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)
-            .'"  "'
-            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html')
-            .'"';
+            .'  '
+            .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html');
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -253,11 +253,10 @@ public function add_command_parameters()`
`253`	`253`	`$this->slide_height = (int) $h;`
`254`	`254`	`}`
`255`	`255`
`256`		`- return ' -w '.$this->slide_width.' -h '.$this->slide_height.' -d oogie "'`
	`256`	`+ return ' -w '.$this->slide_width.' -h '.$this->slide_height.' -d oogie '`
`257`	`257`	`.Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)`
`258`		`- .'" "'`
`259`		`- .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'.html')`
`260`		`- .'"';`
	`258`	`+ .' '`
	`259`	`+ .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'.html');`
`261`	`260`	`}`
`262`	`261`
`263`	`262`	`public function set_slide_size($width, $height)`
Original file line number	Diff line number	Diff line change
`@@ -331,11 +331,10 @@ public function dealPerPage($header, $body)`
`331`	`331`	`*/`
`332`	`332`	`public function add_command_parameters()`
`333`	`333`	`{`
`334`		`- return ' -d woogie "'`
	`334`	`+ return ' -d woogie '`
`335`	`335`	`.Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)`
`336`		`- .'" "'`
`337`		`- .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html')`
`338`		`- .'"';`
	`336`	`+ .' '`
	`337`	`+ .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html');`
`339`	`338`	`}`
`340`	`339`
`341`	`340`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -333,11 +333,10 @@ public function dealPerPage($header, $body)`
`333`	`333`	`*/`
`334`	`334`	`public function add_command_parameters()`
`335`	`335`	`{`
`336`		`- return ' -d woogie "'`
	`336`	`+ return ' -d woogie '`
`337`	`337`	`.Security::sanitizeExecParam($this->base_work_dir.'/'.$this->file_path)`
`338`		`- .'" "'`
`339`		`- .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html')`
`340`		`- .'"';`
	`338`	`+ .' '`
	`339`	`+ .Security::sanitizeExecParam($this->base_work_dir.$this->created_dir.'/'.$this->file_name.'.html');`
`341`	`340`	`}`
`342`	`341`
`343`	`342`	`/**`