Replace sanitized_text method - Fix #7

bcoles · bcoles · commit 5251744b13bd · 2016-04-23T10:58:02.000+10:00
Remove `sanitized_text` method and use `IO.popen` rather than `system` to prevent command injection.
diff --git a/lib/espeak/speech.rb b/lib/espeak/speech.rb
@@ -1,5 +1,3 @@
-require 'open3.rb'
-
 module ESpeak
   class Speech
     attr_reader :options, :text
@@ -21,37 +19,40 @@ def initialize(text, options={})
     # Speaks text
     #
     def speak
-      system(espeak_command(command_options))
+      IO.popen(espeak_command(command_options), 'r').read
     end
 
     # Generates mp3 file as a result of
     # Text-To-Speech conversion.
     #
     def save(filename)
-      system(espeak_command(command_options, "--stdout") + " | " + lame_command(filename, command_options))
+      speech = bytes_wav
+      res = IO.popen(lame_command(filename, command_options), 'r+') do |process|
+        process.write(speech)
+        process.close_write
+        process.read
+      end
+      res.to_s
     end
 
     # Returns mp3 file bytes as a result of
     # Text-To-Speech conversion.
     #
     def bytes()
-      stdout_str, stderr_str, process = Open3.capture3(espeak_command(command_options, "--stdout") + " | " + std_lame_command(command_options))
-      stdout_str
+      speech = bytes_wav
+      res = IO.popen(std_lame_command(command_options), 'r+') do |process|
+        process.write(speech)
+        process.close_write
+        process.read
+      end
+      res.to_s
     end
 
     # Returns wav file bytes as a result of
     # Text-To-Speech conversion.
     #
     def bytes_wav()
-      stdout_str, stderr_str, process = Open3.capture3(espeak_command(command_options, "--stdout"))
-      stdout_str
-    end
-
-    # espeak dies handling some chars
-    # this function sanitizes text
-    #
-    def sanitized_text
-      @text.gsub(/(!|\?|"|`|\\)/, ' ').strip
+      IO.popen(espeak_command(command_options, "--stdout"), 'r').read
     end
 
     private
@@ -73,15 +74,15 @@ def default_options
     end
 
     def espeak_command(options, flags="")
-      %|espeak "#{sanitized_text}" #{flags} -v#{options[:voice]} -p#{options[:pitch]} -k#{options[:capital]} -s#{options[:speed]}|
+      ['espeak', "#{@text}", "#{flags}", "-v#{options[:voice]}", "-p#{options[:pitch]}", "-k#{options[:capital]}", "-s#{options[:speed]}"]
     end
 
     def std_lame_command(options)
       lame_command("-", options)
     end
 
     def lame_command(filename, options)
-      "lame -V2 - #{filename} #{'--quiet' if options[:quiet] == true}"
+      ['lame', '-V2', '-', "#{filename}", "#{'--quiet' if options[:quiet] == true}"]
     end
 
     def symbolize_keys(hash)
