https://bugs.gentoo.org/975515
https://gitlab.gnome.org/GNOME/evince/-/commit/970c219e861a5fcc3e7b9e05bedf18cf0de39245

From 970c219e861a5fcc3e7b9e05bedf18cf0de39245 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Germ=C3=A1n=20Poo-Caama=C3=B1o?= <gpoo@gnome.org>
Date: Mon, 18 May 2026 16:25:13 -0400
Subject: [PATCH] shell: quote strings in arguments used when calling ev_spawn

When spawning a new instance, it is good practice to sanitize the
arguments given to Evince, as those arguments may come from an
untrusted source. We want to avoid those values could become
unintended flags by the child process.

Fixes #2153
---
 shell/ev-application.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/shell/ev-application.c b/shell/ev-application.c
index 001d21438..e35a5ef5f 100644
--- a/shell/ev-application.c
+++ b/shell/ev-application.c
@@ -154,7 +154,7 @@ ev_spawn (const char     *uri,
 	  guint           timestamp)
 {
 	GString *cmd;
-	gchar *path, *cmdline;
+	gchar *path, *cmdline, *quoted;
 	GAppInfo *app;
 	GError  *error = NULL;
 
@@ -179,10 +179,13 @@ ev_spawn (const char     *uri,
 	/* Page label */
 	if (dest) {
                 switch (ev_link_dest_get_dest_type (dest)) {
-                case EV_LINK_DEST_TYPE_PAGE_LABEL:
+                case EV_LINK_DEST_TYPE_PAGE_LABEL: {
+                        quoted = g_shell_quote (ev_link_dest_get_page_label (dest));
                         g_string_append_printf (cmd, " --page-label=%s",
-                                                ev_link_dest_get_page_label (dest));
+                                                quoted);
+                        g_free (quoted);
                         break;
+                     }
                 case EV_LINK_DEST_TYPE_PAGE:
                 case EV_LINK_DEST_TYPE_XYZ:
                 case EV_LINK_DEST_TYPE_FIT:
@@ -192,10 +195,13 @@ ev_spawn (const char     *uri,
                         g_string_append_printf (cmd, " --page-index=%d",
                                                 ev_link_dest_get_page (dest) + 1);
                         break;
-                case EV_LINK_DEST_TYPE_NAMED:
+                case EV_LINK_DEST_TYPE_NAMED: {
+                        quoted = g_shell_quote (ev_link_dest_get_named_dest (dest));
                         g_string_append_printf (cmd, " --named-dest=%s",
-                                                ev_link_dest_get_named_dest (dest));
+                                                quoted);
+                        g_free (quoted);
                         break;
+                     }
                 default:
                         break;
                 }
@@ -203,7 +209,9 @@ ev_spawn (const char     *uri,
 
 	/* Find string */
 	if (search_string) {
-		g_string_append_printf (cmd, " --find=%s", search_string);
+		quoted = g_shell_quote (search_string);
+		g_string_append_printf (cmd, " --find=%s", quoted);
+		g_free (quoted);
 	}
 
 	/* Mode */
-- 
GitLab