Merged r22314 from trunk to 5.0-stable (#38728).

git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@22315 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/lib/redmine/helpers/gantt.rb b/lib/redmine/helpers/gantt.rb
index ade37a33e37c9b0f0d5cff0871a3ab0babdc7c49..e70482d045a3c801ca3024eb56085511b1e7157f 100644 (file)
--- a/lib/redmine/helpers/gantt.rb
+++ b/lib/redmine/helpers/gantt.rb
@@ -420,7 +420,7 @@ module Redmine
             gc.stroke('transparent')
             gc.strokewidth(1)
             gc.draw('text %d,%d %s' % [
-              left.round + 8, 14, Redmine::Utils::Shell.shell_quote("#{month_f.year}-#{month_f.month}")
+              left.round + 8, 14, magick_text("#{month_f.year}-#{month_f.month}")
             ])
             left = left + width
             month_f = month_f >> 1
@@ -456,7 +456,7 @@ module Redmine
               gc.stroke('transparent')
               gc.strokewidth(1)
               gc.draw('text %d,%d %s' % [
-                left.round + 2, header_height + 14, Redmine::Utils::Shell.shell_quote(week_f.cweek.to_s)
+                left.round + 2, header_height + 14, magick_text(week_f.cweek.to_s)
               ])
               left = left + width
               week_f = week_f + 7
@@ -822,7 +822,7 @@ module Redmine
         params[:image].stroke('transparent')
         params[:image].strokewidth(1)
         params[:image].draw('text %d,%d %s' % [
-          params[:indent], params[:top] + 2, Redmine::Utils::Shell.shell_quote(subject)
+          params[:indent], params[:top] + 2, magick_text(subject)
         ])
       end
 
@@ -1072,10 +1072,16 @@ module Redmine
           params[:image].draw('text %d,%d %s' % [
             params[:subject_width] + (coords[:bar_end] || 0) + 5,
             params[:top] + 1,
-            Redmine::Utils::Shell.shell_quote(label)
+            magick_text(label)
           ])
         end
       end
+
+      # Escape the passed string as a text argument in a draw rule for
+      # mini_magick. Note that the returned string is not shell-safe on its own.
+      def magick_text(str)
+        "'#{str.to_s.gsub(/['\\]/, '\\\\\0')}'"
+      end
     end
   end
 end

diff --git a/test/unit/lib/redmine/helpers/gantt_test.rb b/test/unit/lib/redmine/helpers/gantt_test.rb
index a3cfead37ee58d105801ecacabda1a70470b3db1..f0eff476a77f041a097ddb5053a64e8fe389ce0c 100644 (file)
--- a/test/unit/lib/redmine/helpers/gantt_test.rb
+++ b/test/unit/lib/redmine/helpers/gantt_test.rb
@@ -574,4 +574,9 @@ class Redmine::Helpers::GanttHelperTest < Redmine::HelperTest
 
     assert_equal versions.sort, Redmine::Helpers::Gantt.sort_versions!(versions.dup)
   end
+
+  def test_magick_text
+    create_gantt
+    assert_equal "'foo\\'bar\\\\baz'", @gantt.send(:magick_text, "foo'bar\\baz")
+  end
 end