Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Untested fix for the command injection vulnerability. #85

Open
wants to merge 2 commits into from

2 participants

@lcashdol

Hi,
I didn't test this fix, but it should mitigate the command injection vulnerability I sent you guys. Please review? and let me know if it looks correct? thanks!

@skorth

Just saw this entry http://www.osvdb.org/show/osvdb/100920. Are all versions effected or just the current one? Would like to add it to https://github.com/rubysec/ruby-advisory-db.

@lcashdol
@lcashdol

This impacts all versions. Thanks!

@skorth skorth referenced this pull request in rubysec/ruby-advisory-db
Merged

Add Webbynode Gem #68

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 5 additions and 3 deletions.
  1. +2 −1  lib/webbynode.rb
  2. +3 −2 lib/webbynode/notify.rb
View
3  lib/webbynode.rb
@@ -8,6 +8,7 @@
require 'highline/import'
require 'readline'
require 'rainbow'
+require 'shellwords'
begin
require 'Win32/Console/ANSI' if RUBY_PLATFORM =~ /mswin/
@@ -108,4 +109,4 @@ def initialize(*args)
@ssl_context = OpenSSL::SSL::SSLContext.new
@ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
-end
+end
View
5 lib/webbynode/notify.rb
@@ -8,7 +8,8 @@ class Notify
def self.message(message)
if self.installed? and !$testing
message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")
- %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")
+
+ %x(growlnotify -t "#{TITLE.shellescape}" -m "#{message.shellescape}" --image "#{IMAGE_PATH.shellescape}")
end
end
@@ -17,4 +18,4 @@ def self.installed?
end
end
-end
+end
Something went wrong with that request. Please try again.