From 8efedf3158e157655f5f4beb9207fb3775e007f0 Mon Sep 17 00:00:00 2001
From: Robbie Averill <robbie@silverstripe.com>
Date: Thu, 7 Dec 2017 12:40:11 +1300
Subject: [PATCH] FIX Escape file path before loading file from filesystem

---
 code/model/DMSDocument_Controller.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/code/model/DMSDocument_Controller.php b/code/model/DMSDocument_Controller.php
index 6aa4912..3ddf7a6 100644
--- a/code/model/DMSDocument_Controller.php
+++ b/code/model/DMSDocument_Controller.php
@@ -82,6 +82,7 @@ class DMSDocument_Controller extends Controller
                         $finfo = finfo_open(FILEINFO_MIME_TYPE);
                         $mime = finfo_file($finfo, $path);
                     } elseif (is_executable($fileBin)) {
+                        $path = escapeshellarg($path);
                         // try to use the system tool
                         $mime = `$fileBin -i -b $path`;
                         $mime = explode(';', $mime);
@@ -89,7 +90,7 @@ class DMSDocument_Controller extends Controller
                     } else {
                         // make do with what we have
                         $ext = $doc->getExtension();
-                        if ($ext =='pdf') {
+                        if ($ext == 'pdf') {
                             $mime = 'application/pdf';
                         } elseif ($ext == 'html' || $ext =='htm') {
                             $mime = 'text/html';