Merge pull request #4200 from jekyll/pull/prevent-shell-injection

Prevent shell injection when opening a URL.
jekyll · Nov 30, 2015 · 9ff614c · 9ff614c
2 parents 2a4aa0f + c8edb15
commit 9ff614c
Showing 1 changed file with 7 additions and 15 deletions.
diff --git a/lib/jekyll/commands/serve.rb b/lib/jekyll/commands/serve.rb
@@ -46,24 +46,16 @@ def process(options)
             file_handler_options
           )
 
+
           server_address_str = server_address(s, options)
           Jekyll.logger.info "Server address:", server_address_str
 
-          begin
-            command_name = ""
-
-            if Utils::Platforms.windows?
-              command_name = "start"
-            elsif Utils::Platforms.osx?
-              command_name = "open"
-            elsif Utils::Platforms.linux?
-              command_name = "xdg-open"
-            end
-
-            system("#{command_name} #{server_address_str}")
-          rescue
-            Jekyll.logger.info "Could not open URL, exception was thrown"
-          end if options['open_url']
+          if options["open_url"]
+            command = Utils::Platforms.windows?? "start" : Utils::Platforms.osx?? \
+              "open" : "xdg-open"
+
+            system command, server_address_str
+          end
 
           if options['detach'] # detach the server
             pid = Process.fork { s.start }