Use Open3.capture2 instead of backticks, to avoid command line injection risks

[rails.git] / app / models / trace.rb

diff --git a/app/models/trace.rb b/app/models/trace.rb
index adaba52ae23b87b301598f5d32e26dc8787224e7..959d82e1c790b720173d7596d4cdca4ea80d0e48 100644 (file)
--- a/app/models/trace.rb
+++ b/app/models/trace.rb
@@ -25,7 +25,7 @@
 #  gpx_files_user_id_fkey  (user_id => users.id)
 #
 
-class Trace < ActiveRecord::Base
+class Trace < ApplicationRecord
   self.table_name = "gpx_files"
 
   belongs_to :user, :counter_cache => true
@@ -117,7 +117,7 @@ class Trace < ActiveRecord::Base
   end
 
   def mime_type
-    filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
+    filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
     gzipped = filetype =~ /gzip compressed/
     bzipped = filetype =~ /bzip2 compressed/
     zipped = filetype =~ /Zip archive/
@@ -139,7 +139,7 @@ class Trace < ActiveRecord::Base
   end
 
   def extension_name
-    filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
+    filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
     gzipped = filetype =~ /gzip compressed/
     bzipped = filetype =~ /bzip2 compressed/
     zipped = filetype =~ /Zip archive/
@@ -208,8 +208,7 @@ class Trace < ActiveRecord::Base
   end
 
   def xml_file
-    # TODO: *nix specific, could do to work on windows... would be functionally inferior though - check for '.gz'
-    filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
+    filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
     gzipped = filetype =~ /gzip compressed/
     bzipped = filetype =~ /bzip2 compressed/
     zipped = filetype =~ /Zip archive/
@@ -245,7 +244,7 @@ class Trace < ActiveRecord::Base
   def import
     logger.info("GPX Import importing #{name} (#{id}) from #{user.email}")
 
-    gpx = ::GPX::File.new(trace_name)
+    gpx = GPX::File.new(trace_name)
 
     f_lat = 0
     f_lon = 0