From 0f08970de029ecea27ee740ef8dc79d1399adc71 Mon Sep 17 00:00:00 2001
From: Steve Kemp <steve@steve.org.uk>
Date: Mon, 19 Nov 2012 17:36:24 +0000
Subject:   Avoid using the shell for expansion when invoking curl - this fixes
   the potential security hole.

---
 lib/custodian/webfetch.rb | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 lib/custodian/webfetch.rb

(limited to 'lib/custodian/webfetch.rb')

diff --git a/lib/custodian/webfetch.rb b/lib/custodian/webfetch.rb
old mode 100644
new mode 100755
index 8948958..34052ca
--- a/lib/custodian/webfetch.rb
+++ b/lib/custodian/webfetch.rb
@@ -69,7 +69,20 @@ class WebFetch
     #
     # Shell out to curl (!!!) to do the fetch.
     #
-    system( "curl --max-time #{timeout} --silent --location --insecure --dump-header #{head} --out #{body} --silent #{@url}")
+    # Avoid using the actual shell to avoid a security risk
+    #
+    system( "curl",
+            "--max-time",
+            timeout.to_s,
+            "--silent",
+            "--location",
+            "--insecure",
+            "--dump-header",
+            head,
+            "--out",
+            body,
+            "--silent",
+            @url )
 
 
     #
-- 
cgit v1.2.1