In the engrave sources, file: src/lib/engrave_out.c at about line 150
(current CVS) the last parameter should be surrounded by "", like this:
snprintf(cmd, sizeof(cmd), "edje_cc -v %s %s %s \"%s\"",
Also all strings passed to the system() call should be audited for the
same problem in e_utils/src/bin/e17setroot/e17setroot.c
If this is a point where commands could be injected, then those quotes are not sufficient to guard against any real attack. The contents pushed into that final %s could contain their own set of quotes such as: "; rm -rf $HOME; echo "h4x0red!
This would result in a valid command and be completely unaffected by the quotes.
