Avoid using the shell for expansion when invoking curl - this fixes

the potential security hole.
author: Steve Kemp <steve@steve.org.uk> 2012-11-19 17:36:24 +0000
committer: Steve Kemp <steve@steve.org.uk> 2012-11-19 17:36:24 +0000
commit: 0f08970de029ecea27ee740ef8dc79d1399adc71 (patch)
tree: d7c8b70b8f4ce98774997a06c6fc0b45537ab432 /lib
parent: 27fa7f6e112b2b85e78e0f33bf210b31f0911a65 (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/lib/custodian/webfetch.rb b/lib/custodian/webfetch.rb
index 8948958..34052ca 100644..100755
--- a/lib/custodian/webfetch.rb
+++ b/lib/custodian/webfetch.rb
@@ -69,7 +69,20 @@ class WebFetch
     #
     # Shell out to curl (!!!) to do the fetch.
     #
-    system( "curl --max-time #{timeout} --silent --location --insecure --dump-header #{head} --out #{body} --silent #{@url}")
+    # Avoid using the actual shell to avoid a security risk
+    #
+    system( "curl",
+            "--max-time",
+            timeout.to_s,
+            "--silent",
+            "--location",
+            "--insecure",
+            "--dump-header",
+            head,
+            "--out",
+            body,
+            "--silent",
+            @url )
 
 
     #
author	Steve Kemp <steve@steve.org.uk>	2012-11-19 17:36:24 +0000
committer	Steve Kemp <steve@steve.org.uk>	2012-11-19 17:36:24 +0000
commit	0f08970de029ecea27ee740ef8dc79d1399adc71 (patch)
tree	d7c8b70b8f4ce98774997a06c6fc0b45537ab432 /lib
parent	27fa7f6e112b2b85e78e0f33bf210b31f0911a65 (diff)