From 4006e62860c73f0943e71c7da478256a7337941d Mon Sep 17 00:00:00 2001
From: Bernd Waibel <waebbl-gentoo@posteo.net>
Date: Mon, 31 Jan 2022 08:12:35 +0100
Subject: [PATCH 1/2] Backport of 0004809: Security vulnerability in DWG import
 when using ODA file converter

Original patch commit id 1742d7ff82af1653253c4a4183c262c9af3b26d6 by
wmayer <wmayer@users.sourceforge.net>.

Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
--- a/src/Mod/Draft/importDWG.py
+++ b/src/Mod/Draft/importDWG.py
@@ -44,8 +44,6 @@ https://knowledge.autodesk.com/support/autocad/downloads/
 # *                                                                         *
 # ***************************************************************************
 
-# TODO: use subprocess.popen() instead of subprocess.call()
-
 import six
 import FreeCAD
 from FreeCAD import Console as FCC
@@ -217,15 +215,10 @@ def convertToDxf(dwgfilename):
         indir = os.path.dirname(dwgfilename)
         outdir = tempfile.mkdtemp()
         basename = os.path.basename(dwgfilename)
-        cmdline = ('"%s" "%s" "%s" "ACAD2000" "DXF" "0" "1" "%s"'
-                   % (teigha, indir, outdir, basename))
-        FCC.PrintMessage(translate("ImportDWG", "Converting: ")
-                         + cmdline + "\n")
-        if six.PY2:
-            if isinstance(cmdline, six.text_type):
-                encoding = sys.getfilesystemencoding()
-                cmdline = cmdline.encode(encoding)
-        subprocess.call(cmdline, shell=True)  # os.system(cmdline)
+        cmdline = [teigha, indir, outdir, "ACAD2000", "DXF", "0", "1", basename]
+        FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
+        proc = subprocess.Popen(cmdline)
+        proc.communicate()
         result = outdir + os.sep + os.path.splitext(basename)[0] + ".dxf"
         if os.path.exists(result):
             FCC.PrintMessage(translate("ImportDWG",
@@ -270,10 +263,9 @@ def convertToDwg(dxffilename, dwgfilename):
         indir = os.path.dirname(dxffilename)
         outdir = os.path.dirname(dwgfilename)
         basename = os.path.basename(dxffilename)
-        cmdline = ('"%s" "%s" "%s" "ACAD2000" "DWG" "0" "1" "%s"'
-                   % (teigha, indir, outdir, basename))
-        FCC.PrintMessage(translate("ImportDWG", "Converting: ")
-                         + cmdline + "\n")
-        subprocess.call(cmdline, shell=True)  # os.system(cmdline)
+        cmdline = [teigha, indir, outdir, "ACAD2000", "DWG", "0", "1", basename]
+        FCC.PrintMessage(translate("draft", "Converting:") + " " + str(cmdline) + "\n")
+        proc = subprocess.Popen(cmdline)
+        proc.communicate()
         return dwgfilename
     return None
-- 
2.35.0