From 95b93cbf64add255dee53275649e3f7abd9cb687 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Mon, 27 Jan 2014 13:01:06 -0800
Subject: [PATCH] SECURITY: Escape all shell arguments

Ensure all shell arguments are escaped individually.

Bug: 60339
---
 PdfHandler_body.php | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/PdfHandler_body.php b/PdfHandler_body.php
index 8fa6719..d9ed488 100644
--- a/PdfHandler_body.php
+++ b/PdfHandler_body.php
@@ -167,13 +167,28 @@ class PdfHandler extends ImageHandler {
 
 		$srcPath = $image->getLocalRefPath();
 
-		$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor );
-		$cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page} -dLastPage={$page}";
-		$cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg( $srcPath );
-		$cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor );
-		$cmd .= " -depth 8 -resize {$width} - ";
-		$cmd .= wfEscapeShellArg( $dstPath ) . ")";
-		$cmd .= " 2>&1";
+		$cmd = '(' . wfEscapeShellArg(
+			$wgPdfProcessor,
+			"-sDEVICE=jpeg",
+			"-sOutputFile=-",
+			"-dFirstPage={$page}",
+			"-dLastPage={$page}",
+			"-r{$wgPdfHandlerDpi}",
+			"-dBATCH",
+			"-dNOPAUSE",
+			"-q",
+			$srcPath
+		);
+		$cmd .= " | " . wfEscapeShellArg(
+			$wgPdfPostProcessor,
+			"-depth",
+			"8",
+			"-resize",
+			$width,
+			"-",
+			$dstPath
+		);
+		$cmd .= ") 2>&1";
 
 		wfProfileIn( 'PdfHandler' );
 		wfDebug( __METHOD__ . ": $cmd\n" );
-- 
1.8.4