Skip to content
Browse files

Sanitize user input using Shellwords.escape and bump patch number

  • Loading branch information...
1 parent 00a2b68 commit b819b13d198495f3ecd2762a0dbe27bb6fae3505 @rcook committed with Richard Cook Aug 1, 2013
Showing with 5 additions and 4 deletions.
  1. +1 −1 lib/rgpg/gem_info.rb
  2. +4 −3 lib/rgpg/gpg_helper.rb
View
2 lib/rgpg/gem_info.rb
@@ -2,7 +2,7 @@ module Rgpg
module GemInfo
MAJOR_VERSION = 0
MINOR_VERSION = 2
- PATCH_VERSION = 2
+ PATCH_VERSION = 3
def self.version_string
[MAJOR_VERSION, MINOR_VERSION, PATCH_VERSION].join('.')
View
7 lib/rgpg/gpg_helper.rb
@@ -1,4 +1,5 @@
require 'tempfile'
+require 'shellwords'
module Rgpg
module GpgHelper
@@ -10,7 +11,7 @@ def self.generate_key_pair(key_base_name, recipient, real_name)
begin
script_file.write(script)
script_file.close
- result = system("gpg --batch --gen-key #{script_file.path}")
+ result = system("gpg --batch --gen-key #{Shellwords.escape(script_file.path)}")
raise RuntimeError.new('gpg failed') unless result
ensure
script_file.close
@@ -62,12 +63,12 @@ def self.run_gpg(*args)
'gpg',
'--no-default-keyring'
] + args
- command_line = fragments.join(' ')
+ command_line = fragments.collect { |fragment| Shellwords.escape(fragment) }.join(' ')
output_file = Tempfile.new('gpg-output')
begin
output_file.close
- result = system("#{command_line} > #{output_file.path} 2>&1")
+ result = system("#{command_line} > #{Shellwords.escape(output_file.path)} 2>&1")
ensure
output_file.unlink
end

0 comments on commit b819b13

Please sign in to comment.
Something went wrong with that request. Please try again.