Title:Remote Command Injection in fog-dragonfly-0.8.2 Ruby GemUnescaped user supplied input is passed to the command line for shell execution: from fog-dragonfly-0.8.2/lib/dragonfly/imagemagickutils.rb: 20 def convert(tempobject, args='', format=nil) 21 tempfile = newtempfile(format) 22 run "#{convertcommand} #{args} #{tempobject.path} #{tempfile.path}" 23 tempfile 24 end . . . 61 def run(command) 62 log.debug("Running command: #{command}") if ImageMagickUtils.log_commands 63 begin 64 result = #{command}