Fix CVE-2015-7541

flori · quadule · commit 570b5e854cec · 2016-01-06T02:03:00.000-05:00
Avoid passsing possible user input directly into the shell. Instead quote the `image_path` value before calling the `convert` command. See here http://rubysec.com/advisories/CVE-2015-7541/ for more information.
diff --git a/lib/colorscore/histogram.rb b/lib/colorscore/histogram.rb
@@ -1,7 +1,9 @@
+require "shellwords"
+
 module Colorscore
   class Histogram
     def initialize(image_path, colors=16, depth=8)
-      output = `convert #{image_path} -resize 400x400 -format %c -dither None -quantize YIQ -colors #{colors} -depth #{depth} histogram:info:-`
+      output = `convert #{image_path.shellescape} -resize 400x400 -format %c -dither None -quantize YIQ -colors #{colors.to_i} -depth #{depth.to_i} histogram:info:-`
       @lines = output.lines.sort.reverse.map(&:strip).reject(&:empty?)
     end
 
