Skip to content
Permalink
Browse files Browse the repository at this point in the history
Patch shell injection vulnerability in prepare page
By escaping the URL argument, we prevent arbitrary commands from being
able to be injected there.

Fixes #56
  • Loading branch information
lazyatom committed Jul 8, 2017
1 parent 6058178 commit 5f8c715
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/printer/jobs/prepare_page.rb
Expand Up @@ -3,6 +3,7 @@
require "printer/id_generator"
require "printer/preview"
require "timeout"
require "shellwords"

class Printer::Jobs::PreparePage
def self.queue
Expand Down Expand Up @@ -36,7 +37,7 @@ def self.perform(url, width, id, kind="print")
end

def self.save_url_to_path(url, width, path)
cmd = "phantomjs rasterise.js #{url} #{width} #{path}"
cmd = "phantomjs rasterise.js #{url.shellescape} #{width} #{path}"
run(cmd)
end

Expand Down

0 comments on commit 5f8c715

Please sign in to comment.