Merge pull request #4200 from jekyll/pull/prevent-shell-injection

Prevent shell injection when opening a URL.
2015-11-29 21:41:39 -06:00 · 2015-11-29 21:41:39 -06:00 · 9ff614c2f8
parent 2a4aa0fdb1 c8edb15820
commit 9ff614c2f8
1 changed files with 7 additions and 15 deletions
--- a/lib/jekyll/commands/serve.rb
+++ b/lib/jekyll/commands/serve.rb
@ -46,24 +46,16 @@ module Jekyll
            file_handler_options
          )

+
          server_address_str = server_address(s, options)
          Jekyll.logger.info "Server address:", server_address_str

-          begin
-            command_name = ""
+          if options["open_url"]
+            command = Utils::Platforms.windows?? "start" : Utils::Platforms.osx?? \
+              "open" : "xdg-open"
              
-            if Utils::Platforms.windows?
-              command_name = "start"
-            elsif Utils::Platforms.osx?
-              command_name = "open"
-            elsif Utils::Platforms.linux?
-              command_name = "xdg-open"
-            end
-
-            system("#{command_name} #{server_address_str}")
-          rescue
-            Jekyll.logger.info "Could not open URL, exception was thrown"
-          end if options['open_url']
+            system command, server_address_str
+          end

          if options['detach'] # detach the server
            pid = Process.fork { s.start }