Error escaping in image identify command

[brendon]

I've come up against the following error when identifying a file with a quote mark in the file name:

Unmatched double quote: "identify -ping -format '%m %w %h' '/Users/brendon/Projects/SpikeAtSchool/public/files/334389048b872a53/folders/1/Johns's Document List.xlsx'"

[brendon]

Maybe you could move to using https://github.com/thoughtbot/cocaine to abstract and secure your command line execution?

[brendon]

I've come up against this again:

Unmatched double quote: "convert '/path/to/Years 8's Tech.jpg' -auto-orient '/tmp/dragonfly20180627-5005-161nlo5.jpg'"

This feels like a security problem to me. I'm using version 1.1.1 but a quick check of the History doesn't seem to show any changes in this space.

Just to clarify, the problem is being caused by the single quote in the file name of a user-uploaded file.

[brendon]

Just digging a bit deeper, it seems that it's possible to escape the file names:

https://github.com/markevans/dragonfly/blob/e5ca848aef74c5106d328ff06ee51dcafb8825d2/lib/dragonfly/content.rb#L170

Is there a reason why they're not escaped in this instance?

[brendon]

Sorry, of course that evaluates to true but then there isn't actually any escaping, just quoting:

https://github.com/markevans/dragonfly/blob/e5ca848aef74c5106d328ff06ee51dcafb8825d2/lib/dragonfly/content.rb#L172-L173

https://github.com/markevans/dragonfly/blob/3ad0c6dded8f69773e042714be1f877b3c05797a/lib/dragonfly/shell.rb#L23-L26

Could we perhaps use Shellwords.escape()?

[brendon]

@markevans, would you be able to provide a bit of insight on this one? I'm happy to put together a PR to fix it but just need some direction on what you think the solution might be.