Stop using openuri to open non http strings

README.textile

@@ -18,9 +18,10 @@ You only need supply the uri, and FastImage will do the rest.
 
 h2. Features
 
-Fastimage can also read local (and other) files, and uses the Addressable library to do so.
+Fastimage can also read local (and other) files - anything that is not parseable as a URI will be
+interpreted as a filename, and FastImage will attempt to open it with File#open.
 
-FastImage will automatically read from any object that responds to :read - for
+FastImage will also automatically read from any object that responds to :read - for
 instance an IO object if that is passed instead of a URI.
 
 FastImage will follow up to 4 HTTP redirects to get the image.
@@ -31,6 +32,10 @@ You can add a timeout to the request which will limit the request time by passin
 
 FastImage normally replies will nil if it encounters an error, but you can pass :raise_on_failure => true to get an exception.
 
+h2. Security
+
+As of v1.6.7 FastImage no longer uses openuri to open files, but directly calls File.open. But take care to sanitise the strings passed to FastImage; it will try to read from whatever is passed.
+
 h2. Examples
 
 <pre lang="ruby"><code>

fastimage.gemspec

@@ -1,10 +1,10 @@
 Gem::Specification.new do |s|
   s.name = %q{fastimage}
-  s.version = "1.6.6"
+  s.version = "1.6.7"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Stephen Sykes"]
-  s.date = %q{2014-12-05}
+  s.date = %q{2015-02-28}
   s.description = %q{FastImage finds the size or type of an image given its uri by fetching as little as needed.}
   s.email = %q{sdsykes@gmail.com}
   s.extra_rdoc_files = [

lib/fastimage.rb

@@ -11,7 +11,7 @@
 # FastImage knows about GIF, JPEG, BMP, TIFF, ICO, CUR, PNG, PSD and WEBP files.
 #
 # FastImage can also read files from the local filesystem by supplying the path instead of a uri.
-# In this case FastImage uses the Addressable library to read the file in chunks of 256 bytes until
+# In this case FastImage reads the file in chunks of 256 bytes until
 # it has enough. This is possibly a useful bandwidth-saving feature if the file is on a network
 # attached disk rather than truly local.
 #
@@ -168,12 +168,12 @@ class FastImage
       begin
         @parsed_uri = Addressable::URI.parse(uri)
       rescue Addressable::URI::InvalidURIError
-        fetch_using_open_uri
+        fetch_using_file_open
       else
         if @parsed_uri.scheme == "http" || @parsed_uri.scheme == "https"
           fetch_using_http
         else
-          fetch_using_open_uri
+          fetch_using_file_open
         end
       end
     end
@@ -304,8 +304,8 @@ class FastImage
     parse_packets FiberStream.new(read_fiber)
   end
 
-  def fetch_using_open_uri
+  def fetch_using_file_open
-    open(@uri) do |s|
+    File.open(@uri) do |s|
       fetch_using_read(s)
     end
   end

test/test.rb

@@ -279,4 +279,15 @@ class FastImageTest < Test::Unit::TestCase
       FastImage.size(url, :raise_on_failure => true)
     end
   end
+  
+  def test_cant_access_shell
+    url = "|echo>shell_test"
+    %x{rm -f shell_test}
+    FastImage.size(url)
+    assert_raises(Errno::ENOENT) do
+      File.open("shell_test")
+    end
+  ensure
+    %x{rm -f shell_test}
+  end
 end