Merge pull request #81 from karnov/use-uri-open

Security updates
karnov · Nov 11, 2019 · d58f911 · d58f911
2 parents 7679c50 + 46dd8c5
commit d58f911
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -15,7 +15,14 @@ Or install it yourself as:
     $ gem install htmltoword
 
 
-** Note: ** Since version 0.4.0 the ```create``` method will return a string with the contents of the file. If you want to save the file please use ```create_and_save```. See the usage for more
+**Note:** Since version 0.4.0 the ```create``` method will return a string with the contents of the file. If you want to save the file please use ```create_and_save```. See the usage for more
+
+### Security warnings
+In versions `0.7.0` and `1.0.0` we introduced a security vulnerability when allowing
+the use of local images since no check to the files was done, potentially exposing 
+sensitive files in the output zipfile.
+
+Version `1.1.0` doesn't allow the use of local images but uses an insecure `open`
 
 ## Usage
 

diff --git a/lib/htmltoword/document.rb b/lib/htmltoword/document.rb
@@ -79,7 +79,7 @@ def generate
           #stream the image files into the media folder using open-uri
             @image_files.each do |hash|
               out.put_next_entry("word/media/#{hash[:filename]}")
-              open(hash[:url], 'rb') do |f|
+              URI.open(hash[:url], 'rb') do |f|
                 out.write(f.read)
               end
             end

diff --git a/lib/htmltoword/version.rb b/lib/htmltoword/version.rb
@@ -1,3 +1,3 @@
 module Htmltoword
-  VERSION = '1.1.0'
+  VERSION = '1.1.1'
 end