Fix CVE-2015-7541

Avoid passsing possible user input directly into the shell. Instead quote the `image_path` value before calling the `convert` command. See here http://rubysec.com/advisories/CVE-2015-7541/ for more information.
quadule · Jan 6, 2016 · 570b5e8 · 570b5e8
1 parent d589ce0
commit 570b5e8
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/lib/colorscore/histogram.rb b/lib/colorscore/histogram.rb
@@ -1,7 +1,9 @@
+require "shellwords"
+
 module Colorscore
   class Histogram
     def initialize(image_path, colors=16, depth=8)
-      output = `convert #{image_path} -resize 400x400 -format %c -dither None -quantize YIQ -colors #{colors} -depth #{depth} histogram:info:-`
+      output = `convert #{image_path.shellescape} -resize 400x400 -format %c -dither None -quantize YIQ -colors #{colors.to_i} -depth #{depth.to_i} histogram:info:-`
       @lines = output.lines.sort.reverse.map(&:strip).reject(&:empty?)
     end