Merge pull request #90 from knoopx/master

HamptonMakes · HamptonMakes · commit b10c8288a717 · 2012-07-04T07:31:27.000-07:00
Security Fix
diff --git a/lib/mini_magick.rb b/lib/mini_magick.rb
@@ -2,6 +2,7 @@
 require 'subexec'
 require 'stringio'
 require 'pathname'
+require 'shellwords'
 
 module MiniMagick
   class << self
@@ -487,7 +488,7 @@ def add_command(command, *options)
     end
     
     def escape_string(value)
-      '"' + value + '"'
+      Shellwords.escape(value.to_s)
     end
 
     def add_creation_operator(command, *options)
diff --git a/test/command_builder_test.rb b/test/command_builder_test.rb
@@ -6,21 +6,21 @@ class CommandBuilderTest < Test::Unit::TestCase
   def test_basic
     c = CommandBuilder.new("test")
     c.resize "30x40"
-    assert_equal "-resize \"30x40\"", c.args.join(" ")
+    assert_equal '-resize 30x40', c.args.join(" ")
   end
 
   def test_complicated
     c = CommandBuilder.new("test")
     c.resize "30x40"
     c.alpha "1 3 4"
     c.resize "mome fingo"
-    assert_equal "-resize \"30x40\" -alpha \"1 3 4\" -resize \"mome fingo\"", c.args.join(" ")
+    assert_equal '-resize 30x40 -alpha 1\ 3\ 4 -resize mome\ fingo', c.args.join(" ")
   end
 
   def test_plus_modifier_and_multiple_options
     c = CommandBuilder.new("test")
     c.distort.+ 'srt', '0.6 20'
-    assert_equal "+distort \"srt\" \"0.6 20\"", c.args.join(" ")
+    assert_equal '+distort srt 0.6\ 20', c.args.join(" ")
   end
   
   def test_valid_command
