0

I am running the brakeman gem over a project.. it's complaining about some exec commands that are being run.

Current code:

Process.fork {exec "pdftk #{uncrypted_pdf_file} output #{pdf_file} owner_pw #{password} allow printing"}

Brakeman complains suggesting there's a possibility for command injection. I have tried a few different combinations of calling exec for example:

Process.fork {exec "pdftk", uncrypted_pdf_file, " output #{pdf_file} ", "owner_pw #{password}", "allow printing"}

But as you'd expect, each argument just gets passed to pdftk in turn and so it falls over.

Is there a way to call a command in one shot and also protect against command injection. In our specific case it's safe enough anyway as we control all the variables, but it'd be good to know the right way.

4

1 回答 1

2

您需要分别传递每个参数:

exec "pdftk", uncrypted_pdf_file, "output", pdf_file, "owner_pw", password, "allow", "printing"

您可能还需要提供完整路径pdftk

于 2014-07-31T05:19:46.877 回答