SECURITY: force IM decoder based on file extension - part 2

2018-07-25 23:08:02 +02:00 · 2018-07-25 23:08:02 +02:00 · 01714e40f4
parent b04b7c366c
commit 01714e40f4
2 changed files with 5 additions and 5 deletions
--- a/app/models/optimized_image.rb
+++ b/app/models/optimized_image.rb
@ -123,7 +123,7 @@ class OptimizedImage < ActiveRecord::Base
  def self.prepend_decoder!(path)
    extension = File.extname(path)[1..-1]
    raise Discourse::InvalidAccess unless extension[IM_DECODERS]
-    "#{extension}:#{path}"
+    path = "#{extension}:#{path}"
  end

  def self.thumbnail_or_resize
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@ -166,12 +166,12 @@ class UploadCreator
      "convert",
      from,
      "-auto-orient",
-      "-background white",
-      "-interlace none",
+      "-background", "white",
+      "-interlace", "none",
      "-flatten",
-      "-quality #{SiteSetting.png_to_jpg_quality}"
+      "-quality", SiteSetting.png_to_jpg_quality.to_s
    ]
-    command << "-debug all" if debug
+    command << "-debug" << "all" if debug
    command << to

    Discourse::Utils.execute_command(*command, failure_message: I18n.t("upload.png_to_jpg_conversion_failure_message"))