Kicad-cli: sym export svg writes to unsanitized file name
Description
Some manufacturers have characters that are not permitted in file paths in their MPNs. When exporting the symbol of such a part (MCP4728-E/UN) to svg, I get the following output and (for obvious reasons) no svg-file:
Unable to open destination 'mcp4728-e/un.svg'
Plotting symbol 'MCP4728-E/UN' to 'mcp4728-e/un.svg'
Expected behavior: Filenames should be sanitized before trying to write to disk.
P.S.: I also attempted this with a LIBRARY_ID of '../MCP4728-EUN' and got (as feared) the following output:
Plotting symbol '../MCP4728-EUN' to '../mcp4728-eun.svg'
This makes it pretty dangerous to use this in a CI environment, as a malicious file could be introduced to overwrite arbitrary files that the current user has access to.
Steps to reproduce
- Create a .kicad_sym-file with a LIBRARY_ID that contains e.g.
/
- Run
kicad-cli-nightly sym export svg $FILENAME
(orkicad-cli
if compiled from source) - Get the error as described above
KiCad Version
Application: KiCad x86_64 on x86_64
Version: 7.99.0-unknown-aab0696bb6~172~ubuntu22.04.1, release build
Libraries:
wxWidgets 3.2.1
FreeType 2.11.1
HarfBuzz 2.7.4
FontConfig 2.13.1
libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Platform: Ubuntu 22.04.3 LTS, 64 bit, Little endian, wxGTK, X11, ubuntu, wayland
Build Info:
Date: Sep 26 2023 16:04:59
wxWidgets: 3.2.1 (wchar_t,wx containers) GTK+ 3.24
Boost: 1.74.0
OCC: 7.5.2
Curl: 7.81.0
ngspice: 40
Compiler: GCC 11.4.0 with C++ ABI 1016
Build settings:
Edited by Matthias B.