Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Large Image Solution Pack
-
Labels:None
Description
Specifically here and here and possibly here (cancel that third one, it's already made sanitized)
In each of these cases, a path to a file is being passed into the invocation of exec() without being escaped; escapeshellcmd() is being relied upon instead, which cannot account for cases where the path needs to be escaped and in quotes (e.g., if there is a space in the path).
While this is typically not an issue (Large Image typically runs these on a sanitized temporary file), modules implementing these commands and others that rely on them, such as islandora_large_image_imagemagick_convert, will throw warnings and fail to function when providing files with spaces in them.
These lines should be modified so that any variables referencing paths are escaped through escapeshellarg().