Forwarded: https://bugs.launchpad.net/shutter/+bug/1652600/comments/5
Author: dod
Description: Fix perl system calls
 This patch replaces all system("big string") calls to 
 system(@big_list) in all plugins to avoid problems similar to CVS-2016-10081.
--- a/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid
+++ b/share/shutter/resources/system/plugins/perl/sppolaroid/sppolaroid
@@ -349,9 +349,6 @@
 
 sub apply_effect {
 
-	#quote filename
-	my $qfilename = quotemeta $filename;
-
 	if ( $use_caption ) {
 
 		my $text = $caption_entry->get_text;
@@ -360,27 +357,32 @@
 		$text = quotemeta $text;
 
 		my $color = $stroke_color->get_color;
-			
-		system( "convert -caption "
-				. $text
-				. " -fill '"
-				. sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha )
-				. "' $qfilename -pointsize "
-				. $pointsize_sbutton->get_value
-				. " -gravity "
-				. $gravity_combo->get_active_text
-				. "  -bordercolor snow "
-				. " -background black "
-				. " -polaroid "
-				. $angle_sbutton->get_value
-				. " $tmpfilename" );
-				
+
+		system(
+            convert =>
+            -caption => $text,
+            -fill => sprintf( "#%04x%04x%04x%04x",
+                              $color->red,
+                              $color->green,
+                              $color->blue,
+                              $stroke_color->get_alpha
+                          ),
+            $filename,
+            -pointsize => $pointsize_sbutton->get_value,
+            -gravity => $gravity_combo->get_active_text,
+            qw/-bordercolor snow -background black/,
+            -polaroid => $angle_sbutton->get_value,
+            $tmpfilename
+        );
 	} else {
-		
-		system( "convert $qfilename -bordercolor white -border 6 -bordercolor grey60 -border 1 -background none -rotate "
-				. $angle_sbutton->get_value
-				. " -background  black  \\( +clone -shadow 60x4+4+4 \\) +swap -background none -flatten $tmpfilename" );
-	
+		system(
+            convert => $filename,
+            qw/-bordercolor white -border 6 -bordercolor grey60 -border 1 -background none/,
+            -rotate => $angle_sbutton->get_value,
+            -background => 'black',
+            qw/( +clone -shadow 60x4+4+4 ) +swap -background none/,
+            -flatten => $tmpfilename
+        );
 	}
 
 }
--- a/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark
+++ b/share/shutter/resources/system/plugins/perl/spwatermark/spwatermark
@@ -342,33 +342,27 @@
 	$text = strftime $text, localtime;
 	$text = quotemeta $text;
 
-	#quote filename
-	my $qfilename = quotemeta $filename;
-
 	my $psize = $pointsize_sbutton->get_value;
 
 	my $color = $stroke_color->get_color;
 
-	#execute imagemagick command		
-	system(   "convert "
-			. "-background '#00000000'" 
-			. " -fill '"
-			. sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha )
-			. "' -pointsize "
-			. $psize
-			. " -gravity "
-			. $gravity_combo->get_active_text
-			. " -rotate "
-			. $angle_sbutton->get_value
-			. " label:"
-			. $text
-			. " $tmpfilename" );
-			
-	system("composite $tmpfilename"		
-			. " -gravity "
-			. $gravity_combo->get_active_text
-			. " $qfilename"
-			. " $tmpfilename2" );
+	#execute imagemagick command
+	system(
+        convert =>
+        -background => '#00000000',
+        -fill => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $stroke_color->get_alpha ),
+        -pointsize => $psize,
+        -gravity => $gravity_combo->get_active_text,
+        -rotate => $angle_sbutton->get_value,
+        "label:$text",
+        $tmpfilename
+    );
+
+	system(
+        composite => $tmpfilename,
+        -gravity => $gravity_combo->get_active_text,
+        $filename => $tmpfilename2
+    );
 
 }
 
--- a/share/shutter/resources/system/plugins/perl/spshadow/spshadow
+++ b/share/shutter/resources/system/plugins/perl/spshadow/spshadow
@@ -368,24 +368,22 @@
 		$direction2 = "80x3-1-1";
 	}
 
-	#quote filename
-	my $qfilename = quotemeta $filename;
-	
-	#execute imagemagick command		
-	system( "convert"
-			. " $qfilename"
-			. " -gravity northwest -background 'rgba(255,255,255,0)' -splice 10x10"
-			. " \\( +clone -background '"
-			. sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha )
-			. "' -shadow "
-			. $direction2
-			. " \\) +swap -background none -mosaic +repage"
-			. " \\( +clone -background '"
-			. sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha )
-			. "' -shadow "
-			. $direction1
-			. " \\) +swap -background none -mosaic +repage"
-			. " $tmpfilename" );
+	#execute imagemagick command
+	system(
+        convert => $filename,
+        -gravity => 'northwest',
+        -background => 'rgba(255,255,255,0)',
+        -splice => '10x10',
+        qw/( +clone/,
+        -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ),
+        -shadow => $direction2,
+        qw/) +swap -background none -mosaic +repage/,
+        qw/( +clone/,
+        -background => sprintf( "#%04x%04x%04x%04x", $scolor->red, $scolor->green, $scolor->blue, $shadow_color->get_alpha ),
+        -shadow => $direction1,
+        qw/) +swap -background none -mosaic +repage/,
+        $tmpfilename
+    );
 
 }
 
--- a/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion
+++ b/share/shutter/resources/system/plugins/perl/spbardistortion/spbardistortion
@@ -386,24 +386,13 @@
 
 	my $color = $back_color->get_color;
 
-	#quote filename
-	my $qfilename = quotemeta $filename;
-
 	#execute imagemagick command		
-	system(   "convert"
-			. " -virtual-pixel Background -background '"
-			. sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha )
-			. "' -distort Barrel '"
-			. $c1_sbutton->get_value
-			. " "
-			. $c2_sbutton->get_value
-			. " "
-			. $c3_sbutton->get_value
-			. " "
-			. $c4_sbutton->get_value														
-			. "' $qfilename"
-			. " $tmpfilename" );
-												
+	system (
+        qw/convert -virtual-pixel Background/,
+        -background => sprintf( "#%04x%04x%04x%04x", $color->red, $color->green, $color->blue, $back_color->get_alpha ),
+        -distort => Barrel => join(' ',$c1_sbutton->get_value, $c2_sbutton->get_value, $c3_sbutton->get_value, $c4_sbutton->get_value),
+        $filename, $tmpfilename
+    );
 }
 
 sub fct_update_gui {
--- a/share/shutter/resources/modules/Shutter/Screenshot/Web.pm
+++ b/share/shutter/resources/modules/Shutter/Screenshot/Web.pm
@@ -69,7 +69,13 @@
 		$self->{_url} = "http://".$self->{_url};
 	}
 	
-	system("gnome-web-photo --timeout=$self->{_timeout} --mode=photo --width=$self->{_width} '$self->{_url}' '$self->{_dest_filename}'");
+	system(
+        'gnome-web-photo',
+        '--timeout='.$self->{_timeout},
+        '--mode=photo',
+        '--width='.$self->{_width},
+        $self->{_url}, $self->{_dest_filename}
+    );
 	
 	return TRUE;
 }
--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
+++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm
@@ -67,8 +67,12 @@
 }
 
 sub xdg_open_mail {
-	my ( $self, $dialog, $mail, $user_data ) = @_;
-	system("xdg-email $mail $user_data");
+	my ( $self, $dialog, $mail, @user_data ) = @_;
+
+    my @cmd = 'xdg-email';
+    push @cmd, $mail if $mail;
+	system(@cmd, @user_data);
+
 	if($?){
 		my $response = $self->{_dialogs}->dlg_error_message( 
 			sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-email'"),
@@ -82,7 +86,7 @@
 
 sub nautilus_sendto {
 	my ( $self, $user_data ) = @_;
-	system("nautilus-sendto $user_data &");
+	system('nautilus-sendto', $user_data);
 	if($?){
 		my $response = $self->{_dialogs}->dlg_error_message( 
 			sprintf( $self->{_d}->get("Error while executing %s."), "'nautilus-sendto'"),
--- a/bin/shutter
+++ b/bin/shutter
@@ -6974,12 +6974,9 @@
             push( @files_to_email, $session_screens{$key}->{'long'} );
         }
 
-        my $mail_string = undef;
-        foreach my $email_filename (@files_to_email) {
-            $mail_string .= "--attach '$email_filename' ";
-        }
+        my @mail_args = map { ( '--attach' => $_ ) } @files_to_email;
 
-        $shf->xdg_open_mail( undef, undef, $mail_string );
+        $shf->xdg_open_mail( undef, undef, @mail_args );
 
         return TRUE;
     }
