Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Properly escape arguments to prevent shell injection

  • Loading branch information...
commit aeadbed8c04b0f4c5a18c92aa1b6ddb7cdf8d746 1 parent 0726847
@knoopx knoopx authored
Showing with 5 additions and 4 deletions.
  1. +2 −1  lib/mini_magick.rb
  2. +3 −3 test/command_builder_test.rb
View
3  lib/mini_magick.rb
@@ -2,6 +2,7 @@
require 'subexec'
require 'stringio'
require 'pathname'
+require 'shellwords'
module MiniMagick
class << self
@@ -487,7 +488,7 @@ def add_command(command, *options)
end
def escape_string(value)
- '"' + value + '"'
+ Shellwords.escape(value.to_s)
end
def add_creation_operator(command, *options)
View
6 test/command_builder_test.rb
@@ -6,7 +6,7 @@ class CommandBuilderTest < Test::Unit::TestCase
def test_basic
c = CommandBuilder.new("test")
c.resize "30x40"
- assert_equal "-resize \"30x40\"", c.args.join(" ")
+ assert_equal '-resize 30x40', c.args.join(" ")
end
def test_complicated
@@ -14,13 +14,13 @@ def test_complicated
c.resize "30x40"
c.alpha "1 3 4"
c.resize "mome fingo"
- assert_equal "-resize \"30x40\" -alpha \"1 3 4\" -resize \"mome fingo\"", c.args.join(" ")
+ assert_equal '-resize 30x40 -alpha 1\ 3\ 4 -resize mome\ fingo', c.args.join(" ")
end
def test_plus_modifier_and_multiple_options
c = CommandBuilder.new("test")
c.distort.+ 'srt', '0.6 20'
- assert_equal "+distort \"srt\" \"0.6 20\"", c.args.join(" ")
+ assert_equal '+distort srt 0.6\ 20', c.args.join(" ")
end
def test_valid_command
Please sign in to comment.
Something went wrong with that request. Please try again.