Command injection in video_screenshoter ruby gem
7/22/2013
Larry W. Cashdollar
@_larry0


https://rubygems.org/gems/video_screenshoter

The following function doesn't sanitize user input, if this gem is used in the context of a rails application it could allow remote command injection.


# File 'lib/video_screenshoter/abstract.rb', line 51

def imagemagick_run scr
  if presets
    presets.each do |preset_name, preset|
      cmd = imagemagick_command(scr, preset_name)
      puts cmd if verbose
      `#{cmd}`
    end
  end
end
permalink