From b6a9d3074b05a74e71fff524f0e82d2d40b9d157 Mon Sep 17 00:00:00 2001
From: John Whitington <john@coherentgraphics.co.uk>
Date: Thu, 24 Apr 2025 16:30:40 +0100
Subject: [PATCH] Begin to check for injectible commands

---
 Changes        | 6 ++++++
 cpdfcommand.ml | 5 ++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/Changes b/Changes
index 7e7ea25..02cce4b 100644
--- a/Changes
+++ b/Changes
@@ -9,6 +9,12 @@ Extended features:
 o -thinlines can ensure maximum as well as minimum thickness
 o New -decompress-just-content for easier content stream debugging
 
+Fixes:
+
+* Sanitizes inputs to prevent command injection attacks
+
+* = Supported by a grant from NLnet
+
 2.8.1 (April 2025)
 
 New features:
diff --git a/cpdfcommand.ml b/cpdfcommand.ml
index 3a24f0c..f8853c5 100644
--- a/cpdfcommand.ml
+++ b/cpdfcommand.ml
@@ -1637,12 +1637,15 @@ let setimageresolution f =
   args.op <- Some (ImageResolution f)
 
 let setimpath p =
+  Cpdfutil.check_injectible p;
   args.path_to_im <- p
 
 let setjbig2encpath p =
+  Cpdfutil.check_injectible p;
   args.path_to_jbig2enc <- p
 
 let setp2ppath p =
+  Cpdfutil.check_injectible p;
   args.path_to_p2p <- p
 
 let setfrombox s =
@@ -2804,7 +2807,7 @@ let specs =
     Arg.String setpostpend,
     " Postpend content to page");
    ("-gs",
-    Arg.String (fun s ->  args.path_to_ghostscript <- s),
+    Arg.String (fun s -> Cpdfutil.check_injectible s; args.path_to_ghostscript <- s),
     " Path to gs executable");
    ("-gs-malformed",
     Arg.Unit setgsmalformed,