From c8edb1582071d24019bd0d9b3f8dc6b8875f3d4b Mon Sep 17 00:00:00 2001
From: Jordon Bedwell <jordon@envygeeks.io>
Date: Sun, 29 Nov 2015 21:22:27 -0600
Subject: [PATCH] Prevent shell injection when opening a URL.

---
 lib/jekyll/commands/serve.rb | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/lib/jekyll/commands/serve.rb b/lib/jekyll/commands/serve.rb
index c26cd48d..389ae5a2 100644
--- a/lib/jekyll/commands/serve.rb
+++ b/lib/jekyll/commands/serve.rb
@@ -46,24 +46,16 @@ module Jekyll
             file_handler_options
           )
 
+
           server_address_str = server_address(s, options)
           Jekyll.logger.info "Server address:", server_address_str
 
-          begin
-            command_name = ""
-
-            if Utils::Platforms.windows?
-              command_name = "start"
-            elsif Utils::Platforms.osx?
-              command_name = "open"
-            elsif Utils::Platforms.linux?
-              command_name = "xdg-open"
-            end
-
-            system("#{command_name} #{server_address_str}")
-          rescue
-            Jekyll.logger.info "Could not open URL, exception was thrown"
-          end if options['open_url']
+          if options["open_url"]
+            command = Utils::Platforms.windows?? "start" : Utils::Platforms.osx?? \
+              "open" : "xdg-open"
+              
+            system command, server_address_str
+          end
 
           if options['detach'] # detach the server
             pid = Process.fork { s.start }