dvipdfmx \special{PSfile=...} fix
https://tug.org/pipermail/tldistro/2026q1/000542.html

Index: texk/dvipdfm-x/dpxfile.c
--- texk/dvipdfm-x/dpxfile.c.orig
+++ texk/dvipdfm-x/dpxfile.c
@@ -1,5 +1,5 @@
 /* This is dvipdfmx, an eXtended version of dvipdfm by Mark A. Wicks.
-    Copyright (C) 2002-2020 by Jin-Hwan Cho and Shunsaku Hirata,
+    Copyright (C) 2002-2026 by Jin-Hwan Cho and Shunsaku Hirata,
     the dvipdfmx project team.
     
     Copyright (C) 1998, 1999 by Mark A. Wicks <mwicks@kettering.edu>
@@ -1057,10 +1057,26 @@ dpx_delete_temp_file (char *tmp, int force)
   return;
 }
 
+/* Return nonzero if the filename contains characters that could break
+ * out of quoting in exec_spawn()'s command parser and allow argument
+ * injection.  exec_spawn() splits on spaces and handles '...' and "..."
+ * but has no escape mechanism for embedded quotes.
+ */
+static int
+filename_unsafe_for_command (const char *name)
+{
+  const char *p;
+  for (p = name; *p; p++) {
+    if (*p == '\'' || *p == '"')
+      return 1;
+  }
+  return 0;
+}
+
 /* dpx_file_apply_filter() is used for converting unsupported graphics
  * format to one of the formats that dvipdfmx can natively handle.
  * 'input' is the filename of the original file and 'output' is actually
- * temporal files 'generated' by the above routine.   
+ * temporal files 'generated' by the above routine.
  * This should be system dependent. (MiKTeX may want something different)
  * Please modify as appropriate (see also pdfximage.c and dvipdfmx.c).
  */
@@ -1077,6 +1093,17 @@ dpx_file_apply_filter (const char *cmdtmpl,
     return -1;
   else if (!input || !output)
     return -1;
+
+  if (filename_unsafe_for_command(input)) {
+    WARN("Input filename contains unsafe characters for command execution: %s",
+         input);
+    return -1;
+  }
+  if (filename_unsafe_for_command(output)) {
+   WARN("Output filename contains unsafe characters for command execution: %s",
+        output);
+    return -1;
+  }
 
   size = strlen(cmdtmpl) + strlen(input) + strlen(output) + 3;
   cmd  = NEW(size, char);
