filenames with spaces not supported

[iamjochem]

hi there,

filenames with spaces cause your tool to break because filename arguments are passed to pdf2htmlEX command line without quotes.

see here: https://github.com/fagbokforlaget/pdftohtmljs/blob/master/lib/pdftohtml.js#L58

given the way the cmd-line string is simply concatenated I assume this also consistutes a potential cmd injection vector (here is an example discussion regarding this security issue), I believe the following article offers a partial solution:

• https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js

I'm not sure whether using require('child_process').execFile() helps with the spaces in file paths, it might be worth considering some kind of package geared towards escaping shell arguments

P.S. this is a drive-by comment, I'm reporting something I found during testing but I ended up not using this module - I won't be creating a PR, please don't ask :-)

[iapain]

@iamjochem simply put your file name inside quotes.

[iamjochem]

sure that works but I don't think it's a good idea to put the responsibility of proper [cmd argument] escaping on the consumer of this module (effectively the consumer should not know that functionality is implemented using exec ... that is a leaky abstraction, also using quotes does not mitigate the potential command injection vulnerability

[iapain]

Right! If time permits I'll implement proper command execution. Thanks again for reporting.

[iamjochem]

cool - I reopened this issue so that it can remind you every now and again ;-)

[iapain]

@iamjochem as of v0.5.0 we now use spawn which is Command Injection safe. Also, filenames with space should also work v0.5.0 onwards.