Correctly escape issue text in Gantt PNG export for ImageMagick convert (#38728).

Patch by Holger Just. git-svn-id: https://svn.redmine.org/redmine/trunk@22314 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-12 16:26:03 +01:00 · 2023-09-21 00:35:13 +00:00
parent 3928d82ee1
commit 949f57f521
2 changed files with 15 additions and 4 deletions
--- a/lib/redmine/helpers/gantt.rb
+++ b/lib/redmine/helpers/gantt.rb
@@ -420,7 +420,7 @@ module Redmine
            gc.stroke('transparent')
            gc.strokewidth(1)
            gc.draw('text %d,%d %s' % [
-              left.round + 8, 14, Redmine::Utils::Shell.shell_quote("#{month_f.year}-#{month_f.month}")
+              left.round + 8, 14, magick_text("#{month_f.year}-#{month_f.month}")
            ])
            left = left + width
            month_f = month_f >> 1
@@ -456,7 +456,7 @@ module Redmine
              gc.stroke('transparent')
              gc.strokewidth(1)
              gc.draw('text %d,%d %s' % [
-                left.round + 2, header_height + 14, Redmine::Utils::Shell.shell_quote(week_f.cweek.to_s)
+                left.round + 2, header_height + 14, magick_text(week_f.cweek.to_s)
              ])
              left = left + width
              week_f = week_f + 7
@@ -822,7 +822,7 @@ module Redmine
        params[:image].stroke('transparent')
        params[:image].strokewidth(1)
        params[:image].draw('text %d,%d %s' % [
-          params[:indent], params[:top] + 2, Redmine::Utils::Shell.shell_quote(subject)
+          params[:indent], params[:top] + 2, magick_text(subject)
        ])
      end

@@ -1072,10 +1072,16 @@ module Redmine
          params[:image].draw('text %d,%d %s' % [
            params[:subject_width] + (coords[:bar_end] || 0) + 5,
            params[:top] + 1,
-            Redmine::Utils::Shell.shell_quote(label)
+            magick_text(label)
          ])
        end
      end
+
+      # Escape the passed string as a text argument in a draw rule for
+      # mini_magick. Note that the returned string is not shell-safe on its own.
+      def magick_text(str)
+        "'#{str.to_s.gsub(/['\\]/, '\\\\\0')}'"
+      end
    end
  end
 end
--- a/test/unit/lib/redmine/helpers/gantt_test.rb
+++ b/test/unit/lib/redmine/helpers/gantt_test.rb
@@ -574,4 +574,9 @@ class Redmine::Helpers::GanttHelperTest < Redmine::HelperTest

    assert_equal versions.sort, Redmine::Helpers::Gantt.sort_versions!(versions.dup)
  end
+
+  def test_magick_text
+    create_gantt
+    assert_equal "'foo\\'bar\\\\baz'", @gantt.send(:magick_text, "foo'bar\\baz")
+  end
 end