Security fixes for download-3rd-party.rb

george-gca · Teusner · commit 628d59f8a7d7 · 2025-07-30T09:50:19.000+02:00
diff --git a/_plugins/download-3rd-party.rb b/_plugins/download-3rd-party.rb
@@ -70,7 +70,7 @@ def download_file(url, dest)
     unless File.file?(dest)
       puts "Downloading #{url} to #{dest}"
       File.open(dest, "wb") do |saved_file|
-        URI.open(url, "rb") do |read_file|
+        URI(url).open("rb") do |read_file|
           saved_file.write(read_file.read)
         end
       end
@@ -148,7 +148,7 @@ def download_fonts_from_css(config, url, dest, lib_name, file_types)
       puts "Downloading fonts from #{url} to #{dest}"
       # download the css file with a fake user agent to force downloading woff2 fonts instead of ttf
       # user agent from https://www.whatismybrowser.com/guides/the-latest-user-agent/chrome
-      doc = Nokogiri::HTML(URI.open(url, "User-Agent" => "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"))
+      doc = Nokogiri::HTML(URI(url).open("User-Agent" => "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"))
       css = CssParser::Parser.new
       css.load_string! doc.document.text
 
