Remove untrusted input to exec

peterbraden · Mar 20, 2019 · 81a4b86 · 81a4b86
1 parent cfc96ba
commit 81a4b86
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/utils/find-opencv.js b/utils/find-opencv.js
@@ -2,13 +2,13 @@
 
 var exec = require("child_process").exec;
 var fs = require("fs");
-var flag = process.argv[2] || "--exists";
+var flag = "--exists";
 
 // Normally |pkg-config opencv ...| could report either OpenCV 2.x or OpenCV 3.y
 // depending on what is installed.  To enable both 2.x and 3.y to co-exist on
 // the same machine, the opencv.pc for 3.y can be installed as opencv3.pc and
 // then selected by |export PKG_CONFIG_OPENCV3=1| before building node-opencv.
-var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : '"opencv >= 2.3.1"';
+var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : ' "opencv >= 2.3.1"';
 
 function main(){
     //Try using pkg-config, but if it fails and it is on Windows, try the fallback
@@ -18,7 +18,7 @@ function main(){
                 fallback();
             }
             else{
-                throw new Error("ERROR: failed to run: pkg-config", opencv, flag);
+              throw new Error("ERROR: failed to run: pkg-config" + opencv + " " + flag + " - Is OpenCV installed?");
             }
         }
         else{