From 33321b43cafbb731bff062aeffd6f46e38749faf Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Wed, 27 May 2015 00:18:45 +0200
Subject: Improve running of external commands

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/controllers/file.php | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

(limited to 'application/controllers')

diff --git a/application/controllers/file.php b/application/controllers/file.php
index 9e920b9fa..83204c318 100644
--- a/application/controllers/file.php
+++ b/application/controllers/file.php
@@ -130,7 +130,7 @@ class File extends MY_Controller {
 			handle_etag($etag);
 			header("Content-disposition: inline; filename=\"".$id."_qr.png\"\n");
 			header("Content-Type: image/png\n");
-			passthru('qrencode -s 10 -o - '.escapeshellarg(site_url($id).'/'));
+			echo (new \libraries\ProcRunner(array('qrencode', '-s', '10', '-o', '-', site_url($id).'/')))->execSafe()['stdout'];
 			exit();
 
 		case "info":
@@ -235,28 +235,31 @@ class File extends MY_Controller {
 
 	private function _colorify($file, $lexer, $anchor_id = false)
 	{
-		$return_value = 0;
 		$output = "";
 		$lines_to_remove = 0;
 
 		$output .= '<div class="code content table">'."\n";
 		$output .= '<div class="highlight"><pre>'."\n";
 
-		ob_start();
 		if ($lexer == "ascii") {
-			passthru('ansi2html -p < '.escapeshellarg($file), $return_value);
+			// TODO: use exec safe and catch exception
+			$ret = (new \libraries\ProcRunner(array('ansi2html', '-p')))
+				->input(file_get_contents($file))
+				->forbid_stderr()
+				->exec();
 			// Last line is empty
 			$lines_to_remove = 1;
 		} else {
-			passthru('pygmentize -F codetagify -O encoding=guess,outencoding=utf8,stripnl=False -l '.escapeshellarg($lexer).' -f html '.escapeshellarg($file), $return_value);
+			// TODO: use exec safe and catch exception
+			$ret = (new \libraries\ProcRunner(array('pygmentize', '-F', 'codetagify', '-O', 'encoding=guess,outencoding=utf8,stripnl=False', '-l', $lexer, '-f', 'html', $file)))
+				->forbid_stderr()
+				->exec();
 			// Last 2 items are "</pre></div>" and ""
 			$lines_to_remove = 2;
 		}
-		$buf = ob_get_contents();
-		ob_end_clean();
 
 
-		$buf = explode("\n", $buf);
+		$buf = explode("\n", $ret["stdout"]);
 		$line_count = count($buf);
 
 		for ($i = 1; $i <= $lines_to_remove; $i++) {
@@ -287,7 +290,7 @@ class File extends MY_Controller {
 		$output .= "</div>";
 
 		return array(
-			"return_value" => $return_value,
+			"return_value" => $ret["return_code"],
 			"output" => $output
 		);
 	}
@@ -305,12 +308,14 @@ class File extends MY_Controller {
 					echo '<div class="code content table markdownrender">'."\n";
 					echo '<div class="table-row">'."\n";
 					echo '<div class="table-cell">'."\n";
-					passthru(escapeshellarg(FCPATH.'scripts/Markdown.pl').' '.escapeshellarg($file), $return_value);
+					// TODO: use exec safe and catch exception
+					$r = (new \libraries\ProcRunner(array(FCPATH.'scripts/Markdown.pl', $file)))->forbid_stderr()->exec();
+					echo $r['stdout'];
 					echo '</div></div></div>';
 
 					return array(
 						"output" => ob_get_clean(),
-						"return_value" => $return_value,
+						"return_value" => $r["return_code"],
 					);
 				} else {
 					return get_instance()->_colorify($file, $lexer, $is_multipaste ? $filedata["id"] : false);
-- 
cgit v1.2.3-24-g4f1b