Merge pull request #20 from flypapertech/fixCommandInjection

Fixes arbitrary command injection by using execFile instead of exec

Author: scravy

.travis.yml

@@ -1,4 +1,7 @@
 language: node_js
+os:
+  - linux
+  - osx
 node_js:
   - stable
   - "0.12"

lib/linux.js

@@ -1,11 +1,11 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 module.exports = function (iface, callback) {
-    exec("cat /sys/class/net/" + iface + "/address", function (err, out) {
+    execFile("cat", ["/sys/class/net/" + iface + "/address"], function (err, out) {
         if (err) {
             callback(err, null);
             return;
         }
         callback(null, out.trim().toLowerCase());
     });
-};
+};

lib/macosx.js

@@ -1,7 +1,7 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 module.exports = function (iface, callback) {
-    exec("ifconfig " + iface, function (err, out) {
+    execFile("ifconfig", [iface], function (err, out) {
         if (err) {
             callback(err, null);
             return;

lib/unix.js

@@ -1,4 +1,4 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 var regexRegex = /[-\/\\^$*+?.()|[\]{}]/g;
 
@@ -7,7 +7,7 @@ function escape(string) {
 }
 
 module.exports = function (iface, callback) {
-    exec("ipconfig /all", function (err, out) {
+    execFile("ipconfig", ["/all"], function (err, out) {
         if (err) {
             callback(err, null);
             return;

lib/windows.js

@@ -1,6 +1,6 @@
 {
   "name": "macaddress",
-  "version": "0.2.9",
+  "version": "0.2.10",
   "description": "Get the MAC addresses (hardware addresses) of the hosts network interfaces.",
   "main": "index.js",
   "scripts": {