DCWorkflowGraph: do not pass request params to os.system for security reasons.

Also, remove copy and paste code from DCWorkflowGraph in ERP5Workflow and
allow to override getPOT() like ERP5Workflow does.
Signed-off-by: Arnaud Fontaine <arnaud.fontaine@nexedi.com>

product/ERP5Type/patches/DCWorkflowGraph.py

@@ -77,6 +77,7 @@ DCWorkflowGraph.getObjectTitle = getObjectTitle
 from Products.DCWorkflowGraph.config import bin_search_path, DOT_EXE
 from tempfile import NamedTemporaryFile
 from zLOG import LOG, WARNING
+import subprocess
 
 def getGraph(self, wf_id="", format="png", REQUEST=None):
   """show a workflow as a graph, copy from:
@@ -91,10 +92,10 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
   match Japanese font or to use Unifont which supports many code points.
   """
   try:
-    pot = DCWorkflowGraph.getPOT(self, wf_id, REQUEST)
+    pot = self.getPOT(wf_id, REQUEST)
   except TypeError:
     # DCWorkflowGraph < 0.4
-    pot = DCWorkflowGraph.getPOT(self, wf_id)
+    pot = self.getPOT(wf_id)
   try:
     encoding = self.portal_properties.site_properties.getProperty(
       'default_charset', 'utf-8')
@@ -113,10 +114,15 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
 
     if format != 'dot':
       with NamedTemporaryFile(suffix='.%s' % format) as outfile:
-        os.system('%s -Nfontname="IPAexGothic" -Nfontsize=10 '
-                  '-Efontname="IPAexGothic" -Efontsize=10 -T%s '
-                  '-o %s %s' % (DCWorkflowGraph.bin_search(DOT_EXE),
-                                format, outfile, infile))
+        subprocess.call((DCWorkflowGraph.bin_search(DOT_EXE),
+                         '-Nfontname="IPAexGothic"',
+                         '-Nfontsize=10',
+                         '-Efontname="IPAexGothic"',
+                         '-Efontsize=10',
+                         '-T%s' % format,
+                         '-o',
+                         outfile.name,
+                         infile.name))
 
         result = outfile.read()
 
@@ -134,5 +140,8 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
 
   return result
 
+DCWorkflowGraph.getGraph = getGraph
+
 from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition
 DCWorkflowDefinition.getGraph = getGraph
+DCWorkflowDefinition.getPOT = DCWorkflowGraph.getPOT

product/ERP5Workflow/Document/Workflow.py

@@ -34,7 +34,7 @@ from Products.ERP5Type.XMLObject import XMLObject
 from tempfile import mktemp
 import os
 from Products.DCWorkflowGraph.config import DOT_EXE
-from Products.DCWorkflowGraph.DCWorkflowGraph import bin_search
+from Products.DCWorkflowGraph.DCWorkflowGraph import bin_search, getGraph
 
 from Globals import PersistentMapping
 from Acquisition import aq_base
@@ -143,26 +143,9 @@ class Workflow(XMLObject):
   ## Graph ##
   ############
 
-  def getGraph(self, format="gif", REQUEST=None, *args, **kw):
-      """
-      show a workflow as a graph, copy from:
-      "OpenFlowEditor":http://www.openflow.it/wwwopenflow/Download/OpenFlowEditor_0_4.tgz
-      """
-      pot = self.getPOT()
-      infile = mktemp('.dot')
-      f = open(infile, 'w')
-      f.write(pot)
-      f.close()
-      outfile = mktemp('.%s' % format)
-      os.system('%s -T%s -o %s %s' % (bin_search(DOT_EXE), format, outfile, infile))
-      out = open(outfile, 'rb')
-      result = out.read()
-      out.close()
-      os.remove(infile)
-      os.remove(outfile)
-      return result
-
-  def getPOT(self):
+  getGraph = getGraph
+
+  def getPOT(self, *args, **kwargs):
       """
       get the pot, copy from:
       "dcworkfow2dot.py":http://awkly.org/Members/sidnei/weblog_storage/blog_27014