Stop using openuri to open non http strings

2025-12-04 00:01:11 -05:00 · 2015-02-28 23:25:31 +02:00 · 2015-02-28 23:25:31 +02:00 · 617449d4b5
commit 617449d4b5
parent 82d3525f40
4 changed files with 25 additions and 9 deletions
--- a/README.textile
+++ b/README.textile
@ -18,9 +18,10 @@ You only need supply the uri, and FastImage will do the rest.

 h2. Features

-Fastimage can also read local (and other) files, and uses the Addressable library to do so.
+Fastimage can also read local (and other) files - anything that is not parseable as a URI will be
+interpreted as a filename, and FastImage will attempt to open it with File#open.

-FastImage will automatically read from any object that responds to :read - for
+FastImage will also automatically read from any object that responds to :read - for
 instance an IO object if that is passed instead of a URI.

 FastImage will follow up to 4 HTTP redirects to get the image.
@ -31,6 +32,10 @@ You can add a timeout to the request which will limit the request time by passin

 FastImage normally replies will nil if it encounters an error, but you can pass :raise_on_failure => true to get an exception.

+h2. Security
+
+As of v1.6.7 FastImage no longer uses openuri to open files, but directly calls File.open. But take care to sanitise the strings passed to FastImage; it will try to read from whatever is passed.
+
 h2. Examples

 <pre lang="ruby"><code>
--- a/fastimage.gemspec
+++ b/fastimage.gemspec
@ -1,10 +1,10 @@
 Gem::Specification.new do |s|
  s.name = %q{fastimage}
-  s.version = "1.6.6"
+  s.version = "1.6.7"

  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
  s.authors = ["Stephen Sykes"]
-  s.date = %q{2014-12-05}
+  s.date = %q{2015-02-28}
  s.description = %q{FastImage finds the size or type of an image given its uri by fetching as little as needed.}
  s.email = %q{sdsykes@gmail.com}
  s.extra_rdoc_files = [
--- a/lib/fastimage.rb
+++ b/lib/fastimage.rb
@ -11,7 +11,7 @@
 # FastImage knows about GIF, JPEG, BMP, TIFF, ICO, CUR, PNG, PSD and WEBP files.
 #
 # FastImage can also read files from the local filesystem by supplying the path instead of a uri.
-# In this case FastImage uses the Addressable library to read the file in chunks of 256 bytes until
+# In this case FastImage reads the file in chunks of 256 bytes until
 # it has enough. This is possibly a useful bandwidth-saving feature if the file is on a network
 # attached disk rather than truly local.
 #
@ -168,12 +168,12 @@ class FastImage
      begin
        @parsed_uri = Addressable::URI.parse(uri)
      rescue Addressable::URI::InvalidURIError
-        fetch_using_open_uri
+        fetch_using_file_open
      else
        if @parsed_uri.scheme == "http" || @parsed_uri.scheme == "https"
          fetch_using_http
        else
-          fetch_using_open_uri
+          fetch_using_file_open
        end
      end
    end
@ -304,8 +304,8 @@ class FastImage
    parse_packets FiberStream.new(read_fiber)
  end

-  def fetch_using_open_uri
-    open(@uri) do |s|
+  def fetch_using_file_open
+    File.open(@uri) do |s|
      fetch_using_read(s)
    end
  end
--- a/test/test.rb
+++ b/test/test.rb
@ -279,4 +279,15 @@ class FastImageTest < Test::Unit::TestCase
      FastImage.size(url, :raise_on_failure => true)
    end
  end
+  
+  def test_cant_access_shell
+    url = "|echo>shell_test"
+    %x{rm -f shell_test}
+    FastImage.size(url)
+    assert_raises(Errno::ENOENT) do
+      File.open("shell_test")
+    end
+  ensure
+    %x{rm -f shell_test}
+  end
 end