gm - npm Package Compare versions

Comparing version 1.20.0 to 1.21.0

History.md

@@ -0,1 +1,5 @@
+1.21.0 / 2015-10-26 **contains security fix**
+
+* fixed: gm.compare fails to escape arguments properly (Reported by Brendan Scarvell) [rwky](https://github.com/rwky)
+
 1.20.0 / 2015-09-23
@@ -2,0 +6,0 @@

lib/compare.js

 // compare
 
-var exec = require('child_process').exec;
-var utils = require('./utils');
+var spawn = require('child_process').spawn;
 
@@ -23,4 +22,2 @@ /**
   function compare(orig, compareTo, options, cb) {
-    orig = utils.escape(orig);
-    compareTo = utils.escape(compareTo);
 
@@ -30,3 +27,3 @@ var isImageMagick = this._options && this._options.imageMagick;
     var bin = isImageMagick ? '' : 'gm ';
-    var execCmd = bin + 'compare -metric mse ' + orig + ' ' + compareTo;
+    var args = ['compare', '-metric', 'mse', orig, compareTo]
     var tolerance = 0.4;
@@ -45,12 +42,15 @@ // outputting the diff image
          // graphicsmagick defaults to red
-        var highlightColorOption = options.highlightColor
-          ? ' -highlight-color ' + options.highlightColor + ' '
-          : ' ';
-        var highlightStyleOption = options.highlightStyle
-          ? ' -highlight-style ' + options.highlightStyle + ' '
-          : ' ';
-        var diffFilename = utils.escape(options.file);
+        if (options.highlightColour) {
+            args.push('-highlight-color');
+            args.push(options.highlightColor);
+        }
+        if (options.highlightStyle) {
+            args.push('-highlight-style')
+            args.push(options.highlightStyle)
+        }
         // For IM, filename is the last argument. For GM it's `-file <filename>`
-        var diffOpt = isImageMagick ? diffFilename : ('-file ' + diffFilename);
-        execCmd += highlightColorOption + highlightStyleOption  + ' ' + diffOpt;
+        if (isImageMagick) {
+            args.push('-file');
+        }
+        args.push(options.file);
       }
@@ -66,3 +66,5 @@
       // For ImageMagick diff file is required but we don't care about it, so null it out
-      isImageMagick && (execCmd += ' null:');
+      if (isImageMagick) {
+        args.push('null:');
+      }
 
@@ -76,16 +78,24 @@ if (typeof options == 'function') {
 
-    exec(execCmd, function (err, stdout, stderr) {
+    var proc = spawn('/usr/bin/gm', args);
+    var stdout = '';
+    var stderr = '';
+    proc.stdout.on('data',function(data) { stdout+=data });
+    proc.stderr.on('data',function(data) { stderr+=data });
+    proc.on('close', function (code) {
       // ImageMagick returns err code 2 if err, 0 if similar, 1 if dissimilar
       if (isImageMagick) {
-        if (!err) {
+        if (code === 0) {
           return cb(null, 0 <= tolerance, 0, stdout);
         }
-        if (err.code === 1) {
+        else if (code === 1) {
           err = null;
           stdout = stderr;
+        } else {
+        return cb(stderr);
         }
+      } else {
+        if(code !== 0) {
+          return cb(stderr);
+        }
       }
-      if (err) {
-        return cb(err);
-      }
       // Since ImageMagick similar gives err code 0 and no stdout, there's really no matching
@@ -101,3 +111,3 @@ // Otherwise, output format for IM is `12.00 (0.123)` and for GM it's `Total: 0.123`
       var equality = parseFloat(match[1]);
-      cb(null, equality <= tolerance, equality, stdout, utils.unescape(orig), utils.unescape(compareTo));
+      cb(null, equality <= tolerance, equality, stdout, orig, compareTo);
     });
@@ -104,0 +114,0 @@ }

lib/composite.js

 // composite
 
-var utils = require('./utils');
-
 /**
@@ -6,0 +4,0 @@ * Composite images together using the `composite` command in graphicsmagick.

lib/montage.js

 // montage
 
-var utils = require('./utils');
-
 /**
@@ -6,0 +4,0 @@ * Montage images next to each other using the `montage` command in graphicsmagick.

package.json

 {
   "name": "gm",
   "description": "GraphicsMagick and ImageMagick for node.js",
-  "version": "1.20.0",
+  "version": "1.21.0",
   "author": "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -6,0 +6,0 @@ "keywords": [

README.md

@@ -162,3 +162,3 @@
 .stream('png', function (err, stdout, stderr) {
-  var writeStream = fs.createWriteStream('/path/to/my/reformated.png');
+  var writeStream = fs.createWriteStream('/path/to/my/reformatted.png');
   stdout.pipe(writeStream);
@@ -168,3 +168,3 @@ });
 // or without the callback
-var writeStream = fs.createWriteStream('/path/to/my/reformated.png');
+var writeStream = fs.createWriteStream('/path/to/my/reformatted.png');
 gm('/path/to/my/img.jpg')
@@ -171,0 +171,0 @@ .stream('png')

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

114730

increased by0.12%

Lines of code

2110

increased by0.38%

No dependency changes