dvi: Mitigate command injection attacks by quoting filename
With commit 1fcca0b8 came a DVI backend. It exports to PDF via the dvipdfm tool. It calls that tool with the filename of the currently loaded document. If that filename is cleverly crafted, it can escape the currently used manual quoting of the filename. Instead of manually quoting the filename, we use g_shell_quote. https://bugzilla.gnome.org/show_bug.cgi?id=784947
parent
8f2476fb
Please register or sign in to comment