lib/yodel/models/core/attachments/image.rb in yodel-0.0.4 vs lib/yodel/models/core/attachments/image.rb in yodel-0.0.7
- old
+ new
@@ -7,11 +7,13 @@
def crop_image
sizes = (@field.options['sizes'] || {}).to_hash.merge('admin_thumb' => '100x100')
return unless exist?
# determine image dimensions
- dimensions = `#{Yodel.config.identify_path} -ping -format "%w %h" #{path}`
+ # FIXME: uploaded file names with '..' and slashes etc. could be a security issue
+ escaped_path = "\"#{path.gsub('"', '\"')}\""
+ dimensions = `#{Yodel.config.identify_path} -ping -format "%w %h" #{escaped_path}`
unless ('0'..'9').include?(dimensions[0])
raise "Invalid image format or unknown Image Magick error: #{dimensions}"
else
iw, ih = dimensions.split.map(&:to_i)
end
@@ -23,10 +25,10 @@
aspect = sw.to_f / sh.to_f
w, h = (ih * aspect), (iw / aspect)
w = [iw, w].min.to_i
h = [ih, h].min.to_i
- command = "#{Yodel.config.convert_path} #{path} "
+ command = "#{Yodel.config.convert_path} #{escaped_path} "
command += "-crop '#{w}x#{h}+#{(iw-w)/2}+#{(ih-h)/2}' "
command += "-resize '#{sw}x#{sh}' "
command += "-quality #{Yodel.config.image_quality} "
command += resized_image_path(size_name, false).to_s
result = `#{command}`