summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorSteve Kemp <steve@steve.org.uk>2012-11-19 17:36:24 +0000
committerSteve Kemp <steve@steve.org.uk>2012-11-19 17:36:24 +0000
commit52db57df1e7cf226439ded8f18c901689755b45b (patch)
treed7c8b70b8f4ce98774997a06c6fc0b45537ab432 /lib
parent8254a297c8f44ef935bc84597bd19bc6a425d2a0 (diff)
Avoid using the shell for expansion when invoking curl - this fixes
the potential security hole.
Diffstat (limited to 'lib')
-rwxr-xr-x[-rw-r--r--]lib/custodian/webfetch.rb15
1 files changed, 14 insertions, 1 deletions
diff --git a/lib/custodian/webfetch.rb b/lib/custodian/webfetch.rb
index 8948958..34052ca 100644..100755
--- a/lib/custodian/webfetch.rb
+++ b/lib/custodian/webfetch.rb
@@ -69,7 +69,20 @@ class WebFetch
#
# Shell out to curl (!!!) to do the fetch.
#
- system( "curl --max-time #{timeout} --silent --location --insecure --dump-header #{head} --out #{body} --silent #{@url}")
+ # Avoid using the actual shell to avoid a security risk
+ #
+ system( "curl",
+ "--max-time",
+ timeout.to_s,
+ "--silent",
+ "--location",
+ "--insecure",
+ "--dump-header",
+ head,
+ "--out",
+ body,
+ "--silent",
+ @url )
#