[openstreetmap/openstreetmap-website] Use Open3.capture2 instead of backticks, to avoid command line injection risks (#2597)

Andy Allan notifications at github.com
Wed Apr 22 12:00:11 UTC 2020


@gravitystorm commented on this pull request.



> @@ -117,7 +117,7 @@ def trace_name
   end
 
   def mime_type
-    filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
+    filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name)[0].chomp

Me too! I'm not sure why I overlooked this.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2597#discussion_r412918711
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20200422/8b9f595f/attachment.htm>


More information about the rails-dev mailing list