From ab5d6e51d903303128b71d73c09239a07377feb9 Mon Sep 17 00:00:00 2001
From: Scott Davis <jetviper21@gmail.com>
Date: Thu, 9 Jun 2011 16:27:23 -0400
Subject: [PATCH] updated importer to validate that sprites are png files

---
 lib/compass/sprite_importer.rb                 |  10 ++++++++++
 .../images/bad_extensions/ten-by-ten.gif       | Bin 0 -> 2804 bytes
 .../images/bad_extensions/twenty-by-twenty.jpg | Bin 0 -> 2799 bytes
 test/units/sprites/importer_test.rb            |  17 +++++++++++++++++
 4 files changed, 27 insertions(+)
 create mode 100644 test/fixtures/sprites/public/images/bad_extensions/ten-by-ten.gif
 create mode 100644 test/fixtures/sprites/public/images/bad_extensions/twenty-by-twenty.jpg

diff --git a/lib/compass/sprite_importer.rb b/lib/compass/sprite_importer.rb
index 83d3692d..0d92fda9 100644
--- a/lib/compass/sprite_importer.rb
+++ b/lib/compass/sprite_importer.rb
@@ -3,6 +3,7 @@ module Compass
     attr_accessor :uri, :options
     VAILD_FILE_NAME = /\A#{Sass::SCSS::RX::IDENT}\Z/
     SPRITE_IMPORTER_REGEX = %r{((.+/)?([^\*.]+))/(.+?)\.png}
+    VALID_EXTENSIONS = ['.png']
     
     def self.load(uri, options)
       klass = Compass::SpriteImporter.new
@@ -89,6 +90,14 @@ module Compass
       end
     end
     
+    def validate_sprites!
+      files.each do |file|
+        unless VALID_EXTENSIONS.include? File.extname(file)
+          raise Compass::Error, "Invalid sprite extension only: #{VALID_EXTENSIONS.join(',')} images are allowed"
+        end
+      end
+    end
+    
     # Returns the sass options for this sprite
     def sass_options
       @sass_options ||= options.merge(:filename => name, :syntax => :scss, :importer => self)
@@ -96,6 +105,7 @@ module Compass
     
     # Returns a Sass::Engine for this sprite object
     def sass_engine
+      validate_sprites!
       Sass::Engine.new(content_for_images, sass_options)
     end
     
diff --git a/test/fixtures/sprites/public/images/bad_extensions/ten-by-ten.gif b/test/fixtures/sprites/public/images/bad_extensions/ten-by-ten.gif
new file mode 100644
index 0000000000000000000000000000000000000000..c0ae53ccadde24b58be417ca95dcb57eb6da4f1a
GIT binary patch
literal 2804
zcmV<Q3Jdj#P)<h;3K|Lk000e1NJLTq000UA000UI0ssI20#I1$000VcX+uL$Nkc;*
zP;zf(X>4Tx0C)k_mUmQB$sWh&-t<OGh;%~ly@NpL1f)n6L?t8;LWv=C?8xE@tSBlX
zMFd@G3O0(Y1+idT1QoF_$ReOT7YjC2-VGdB&v|eEd;h#SXXbwHcYgDmxp!vH`2s-h
zU<-vwuoM8vf;3T(mn&mML?i?E2%rHC5CH*5usNwhm%zYf;2+C}`v4Mm-Zc{E`p2;U
z-XYD6P2~Up1tQ%s+*D37!lw~_&k>5!0D$We?#oOQB8<vHm?lCNh;WgZdGmZw%rWyU
z9!nF21i2wG*8sqi*=!LH0Mb1~XJl}ANFLIAgiQrpz5oESCc;jfcs3Vdqyod_<h5en
ziLh?W4|#Y$Fq<8-n3K)sE%N-gAS029-TA4)BzE@P%m1=TPD)4q*Ibc7TCyO?U%WSD
zq>gjh?!F5wOq$!XIXzYo8oZzjV*CRZI8Njlw7|kN*B>}AWI@k~ck^H1*i?_jJPB+c
z@t)1)7o`V<E^ul_u*U-D#D|10FgMnHQIF$$vKDlH8f$T`#I?SQYXEM54+J0<Bm;I@
zY!<R_0JyCcW{dc|_%wzKa?)ZA87u+E*pOjvYGx|#{=X^WJ2t=Acl5ct1JQ5%t*z4q
zfLSI!`+sZUCjdCg1VHxO-<rlZ0H{c8XAdV`lrf(VEq-8-n=6UjUwNPcG=MHJ0_MOP
zH~=Q_06ri9gn$UJ8gM{7@^3{T6RZbYKt3o0JHcL14ywT+P!EoQlb{`(1sB0pa1-=_
z0q__Mfl=@ZOo0zz27(|QM1iP~JfsR~K?aaHWD7Y#9?&u<2#SEBAs!@v(xLUxR;Umv
zfy$v8r~x_woq;Yw*P(vsAv6q4KyRThFbXEaG*}tdhD~5w*ah~5L*P{~4^Dw|;5>K-
zTn5*|N8vX3B774bfQR5$@H7gbNGLi=4P}I~MY*8@P?4xOlnAvERe&l*)uNhFov0qv
zUDOb267?C4MN`oXv=Q0??TrpabI>X1jp!nDIl3O*hQ5rxiylT#p}%7&7$uAW#va4M
ztibRvnV5V`Ddq^K6>|kMfEmSnz+$m<tPa)&>y3@TCSccLi?CJL7Hk)`A3K7b#^G@C
zI0Kv`E&#{IrQz~%`*BBc7jSoQqqt9a5?&Q=j`zez;sy9zd?~&We;$7aKZc(nND;IM
z_JjZemyk^;CLAVo5^fVl2{S}#q7KoK7(z@SZXuQtn~7J5Pl)eGB$7JGj<lS_Cv7H`
zk&ctDk%md1$ueYpvKu*yoKD_Bt|NDmACliuC=_i9lM+cuqwJtGP%crPQ9emfC5$Cl
z5?qN*5)~3{5_cqCOA;itBwZv|OXf(HN}iIuEjcMgkkXcNlVVG4l&X+ABQ+>BElrg+
zlMawhmM)TRl)f%KE`yWNmhq6`%H+u$lDQ-^LPb$EsBTmabu0BS^$K;AhNbDyShNIM
zA?+Bgmo_CUBWo!eCYvQ&A$v}Ch>oIb(^>Q+dNKVZ{XYH666GZ>OJbL7U(&qf&XSLE
zigHZ3Sh)hZ7P$erFY*j|5BWs-UGnYnPZiJ#`U=YxG8GOeTv3=*q$xTmauf>`PbxlA
zf|c}@f|S-N9a6fbG_9<n?4>MJ-miQ~c~XV0!c<96*`sn^WkQvz>ZHn7-J^Oz^(8}=
z;lfB_lrb(drqq<wyw%dxYSenwX4G}mL)CNDThyOw5H)Ny;xzVXbZbm$s%rXauGehR
ze56Itvek;$+Naf{^-)_#J6wC4cDwetj+_olCr77A=ZP*w*I743w^sL_9#+p*FHx^b
zuTLM=x6+T-uh74302^2v@C~XA`VBFLc7_7OTEjsjvXP5XhEbEzurb|unQ^XhyYXui
zO_NBIT_!yy-%YJdlS~hrJ~opv^D)ac>oj|7u5ZpUuQ0!7L9y_(*ksXR@y61?GS>2d
z<pV3Km7mo%t8S}r);886>t^c-8%>*Nn@XEOTbga4ZISIYJB*#H-6p%UcAxF7?bGZ}
z+W+NX<dEpl=rF!iXKC!x!%IgT)g9T6HI74045w(PgHA)vYR+uuTIc6X4JMa)ggNG-
z=aS%Z)aA9SsjJAf)%ByBz1s%2E_al>mwSPGuZN6Bs7JZSGf#C-o@bNil$Vv)I<GEo
zjJL1%F7H8>GK<4%U`_eh_-ydG>`V3y_AU2)zD$3aXj!Kp?C0aR+wY0LmcPKiJpcr-
z0(J*H4b%xt3H)t2c6s3PisdhY%!1Yj^#oIc*912Pe+Y36DGqrYsvDXf+8rht78TYI
z_A%T&yd->Rg~^HyD{e+8MDQazB5{#nkw+q@S9+}6yK*$jDk?wf{wkeSS*xzER#=_1
z`rI1HHS9H~qA}6o(T&kx*#YcY_H+y@rZQ%V<Hp&?dBtUN_i!g-9b-#k$Ko90O5(<O
zj=bHxiFoJu()dZf8^4_YCc!(QI^kntKw@3uY*KhqOENw=I{A!1Mvy4DyjEpx*4lod
zfiPb<lwzN<H)TrXD>{-2rLIctNTVTU=2p6H`cLV@8BQ4$8J{x4GEZemX9==yW$R~e
z&mPP1%=vX4dL3t7_j<MUTh<S6aM@6^5!x8Dv3rxoro2s~o4q#IZy|0;-12*_X>LjG
z`>o+yJM)zDHs_7}<n>cizC^w#e{h?_w(6hJKl6X?-EOgc|Mu?%+=3g0riG=2UyC?J
zH-0hurR<m49dSE)i>-?f?8NRA?7Y9rc~^ajbV*Lh$Zo&gZF?Ad3iiC;yJqk8Qp?in
zeZ+m~`-aMvm38db+`n`G*Yf!CfeP1(mP)0{?Uf&^xK(!!Fb_0WD_0j*e>uoM_@KtC
zrma@Hw)7D8P{yGbhr<r{{A&Aa!x4oeg-5>C3F?OGgX%9g*fcaWDm4~2!A<E+6Gx+t
z_8oIS*3oR#T+>2tDLf92ryqZLBKpMrlfEarPuZSoKCN}SvX$Ce&<3?-w@tOjw-0qh
zbo8I`In&+g(AoN%@o#l!)y`I&lRZ~_o_Id*{OpCC3)5Y~uE~qMizD4@x*uO!ap~UW
z<(GS}_+Gho)${759+#dA*Bq~%y>5T~%njQc?KiD&w%xM2)%v^D@2$Poy=}K`Zg=$A
z^>y|y?LU9V`Od|=?su==W8J$s;6KoRKlJ{C!KlHZ2iyna50f6gd6e;J=JDnym?s5K
zrJj~PQ+ihWhu$A8L)Js*hTVs6Jr92Vc!V?Z>d(|azmDd;pu8v@Qyps<Hy=Mc;W^Rw
za^=g>SHf2_lllLW{#WH|-Pfo8V*Yh&YQ@y(8_}EDw?*&d-_^aheBV7CIQ{HH@`ss^
z1)t<U)ql4A-18;;%h*ijSKQaKZ+hQ4zx#fFGMhX*D`bn<b6x<2v~XM;0B`F6phO^E
zp$`CJ*SrUwi-6{RJHlfBKIh^8ljnW%T)Z^^hq?d|TRI;m09Bg-&_Y;jL&a7wgb82^
zi^Ym4;*uI?VLk^CS%g@VPqVY{lmWnX0`N^VJ3CV~JNxZ0;?*Al(3LXpy~WX3DF8|o
zVZi;PJM#J5@E@Ch1F72O$<FdpwEzGB32;bRa{vGf6951U69E94oEQKA04YgCK~xwS
zV?1%<1Osls^8f#T+_DUmNi*Rw87M`W;S}or_wOGb*8u?5LK<Q6I?X!(0000<MNUMn
GLSTZ;*FYNp

literal 0
HcmV?d00001

diff --git a/test/fixtures/sprites/public/images/bad_extensions/twenty-by-twenty.jpg b/test/fixtures/sprites/public/images/bad_extensions/twenty-by-twenty.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..4e5e297ffe74b97eaac97d132bea620d976120a6
GIT binary patch
literal 2799
zcmV<L3J~>)P)<h;3K|Lk000e1NJLTq000yK000yS0ssI20_%!e000VcX+uL$Nkc;*
zP;zf(X>4Tx0C)k_mUmQB$sWh&-t<OGh;%~ly@NpL1f)n6L?t8;LWv=C?8xE@tSBlX
zMFd@G3O0(Y1+idT1QoF_$ReOT7YjC2-VGdB&v|eEd;h#SXXbwHcYgDmxp!vH`2s-h
zU<-vwuoM8vf;3T(mn&mML?i?E2%rHC5CH*5usNwhm%zYf;2+C}`v4Mm-Zc{E`p2;U
z-XYD6P2~Up1tQ%s+*D37!lw~_&k>5!0D$We?#oOQB8<vHm?lCNh;WgZdGmZw%rWyU
z9!nF21i2wG*8sqi*=!LH0Mb1~XJl}ANFLIAgiQrpz5oESCc;jfcs3Vdqyod_<h5en
ziLh?W4|#Y$Fq<8-n3K)sE%N-gAS029-TA4)BzE@P%m1=TPD)4q*Ibc7TCyO?U%WSD
zq>gjh?!F5wOq$!XIXzYo8oZzjV*CRZI8Njlw7|kN*B>}AWI@k~ck^H1*i?_jJPB+c
z@t)1)7o`V<E^ul_u*U-D#D|10FgMnHQIF$$vKDlH8f$T`#I?SQYXEM54+J0<Bm;I@
zY!<R_0JyCcW{dc|_%wzKa?)ZA87u+E*pOjvYGx|#{=X^WJ2t=Acl5ct1JQ5%t*z4q
zfLSI!`+sZUCjdCg1VHxO-<rlZ0H{c8XAdV`lrf(VEq-8-n=6UjUwNPcG=MHJ0_MOP
zH~=Q_06ri9gn$UJ8gM{7@^3{T6RZbYKt3o0JHcL14ywT+P!EoQlb{`(1sB0pa1-=_
z0q__Mfl=@ZOo0zz27(|QM1iP~JfsR~K?aaHWD7Y#9?&u<2#SEBAs!@v(xLUxR;Umv
zfy$v8r~x_woq;Yw*P(vsAv6q4KyRThFbXEaG*}tdhD~5w*ah~5L*P{~4^Dw|;5>K-
zTn5*|N8vX3B774bfQR5$@H7gbNGLi=4P}I~MY*8@P?4xOlnAvERe&l*)uNhFov0qv
zUDOb267?C4MN`oXv=Q0??TrpabI>X1jp!nDIl3O*hQ5rxiylT#p}%7&7$uAW#va4M
ztibRvnV5V`Ddq^K6>|kMfEmSnz+$m<tPa)&>y3@TCSccLi?CJL7Hk)`A3K7b#^G@C
zI0Kv`E&#{IrQz~%`*BBc7jSoQqqt9a5?&Q=j`zez;sy9zd?~&We;$7aKZc(nND;IM
z_JjZemyk^;CLAVo5^fVl2{S}#q7KoK7(z@SZXuQtn~7J5Pl)eGB$7JGj<lS_Cv7H`
zk&ctDk%md1$ueYpvKu*yoKD_Bt|NDmACliuC=_i9lM+cuqwJtGP%crPQ9emfC5$Cl
z5?qN*5)~3{5_cqCOA;itBwZv|OXf(HN}iIuEjcMgkkXcNlVVG4l&X+ABQ+>BElrg+
zlMawhmM)TRl)f%KE`yWNmhq6`%H+u$lDQ-^LPb$EsBTmabu0BS^$K;AhNbDyShNIM
zA?+Bgmo_CUBWo!eCYvQ&A$v}Ch>oIb(^>Q+dNKVZ{XYH666GZ>OJbL7U(&qf&XSLE
zigHZ3Sh)hZ7P$erFY*j|5BWs-UGnYnPZiJ#`U=YxG8GOeTv3=*q$xTmauf>`PbxlA
zf|c}@f|S-N9a6fbG_9<n?4>MJ-miQ~c~XV0!c<96*`sn^WkQvz>ZHn7-J^Oz^(8}=
z;lfB_lrb(drqq<wyw%dxYSenwX4G}mL)CNDThyOw5H)Ny;xzVXbZbm$s%rXauGehR
ze56Itvek;$+Naf{^-)_#J6wC4cDwetj+_olCr77A=ZP*w*I743w^sL_9#+p*FHx^b
zuTLM=x6+T-uh74302^2v@C~XA`VBFLc7_7OTEjsjvXP5XhEbEzurb|unQ^XhyYXui
zO_NBIT_!yy-%YJdlS~hrJ~opv^D)ac>oj|7u5ZpUuQ0!7L9y_(*ksXR@y61?GS>2d
z<pV3Km7mo%t8S}r);886>t^c-8%>*Nn@XEOTbga4ZISIYJB*#H-6p%UcAxF7?bGZ}
z+W+NX<dEpl=rF!iXKC!x!%IgT)g9T6HI74045w(PgHA)vYR+uuTIc6X4JMa)ggNG-
z=aS%Z)aA9SsjJAf)%ByBz1s%2E_al>mwSPGuZN6Bs7JZSGf#C-o@bNil$Vv)I<GEo
zjJL1%F7H8>GK<4%U`_eh_-ydG>`V3y_AU2)zD$3aXj!Kp?C0aR+wY0LmcPKiJpcr-
z0(J*H4b%xt3H)t2c6s3PisdhY%!1Yj^#oIc*912Pe+Y36DGqrYsvDXf+8rht78TYI
z_A%T&yd->Rg~^HyD{e+8MDQazB5{#nkw+q@S9+}6yK*$jDk?wf{wkeSS*xzER#=_1
z`rI1HHS9H~qA}6o(T&kx*#YcY_H+y@rZQ%V<Hp&?dBtUN_i!g-9b-#k$Ko90O5(<O
zj=bHxiFoJu()dZf8^4_YCc!(QI^kntKw@3uY*KhqOENw=I{A!1Mvy4DyjEpx*4lod
zfiPb<lwzN<H)TrXD>{-2rLIctNTVTU=2p6H`cLV@8BQ4$8J{x4GEZemX9==yW$R~e
z&mPP1%=vX4dL3t7_j<MUTh<S6aM@6^5!x8Dv3rxoro2s~o4q#IZy|0;-12*_X>LjG
z`>o+yJM)zDHs_7}<n>cizC^w#e{h?_w(6hJKl6X?-EOgc|Mu?%+=3g0riG=2UyC?J
zH-0hurR<m49dSE)i>-?f?8NRA?7Y9rc~^ajbV*Lh$Zo&gZF?Ad3iiC;yJqk8Qp?in
zeZ+m~`-aMvm38db+`n`G*Yf!CfeP1(mP)0{?Uf&^xK(!!Fb_0WD_0j*e>uoM_@KtC
zrma@Hw)7D8P{yGbhr<r{{A&Aa!x4oeg-5>C3F?OGgX%9g*fcaWDm4~2!A<E+6Gx+t
z_8oIS*3oR#T+>2tDLf92ryqZLBKpMrlfEarPuZSoKCN}SvX$Ce&<3?-w@tOjw-0qh
zbo8I`In&+g(AoN%@o#l!)y`I&lRZ~_o_Id*{OpCC3)5Y~uE~qMizD4@x*uO!ap~UW
z<(GS}_+Gho)${759+#dA*Bq~%y>5T~%njQc?KiD&w%xM2)%v^D@2$Poy=}K`Zg=$A
z^>y|y?LU9V`Od|=?su==W8J$s;6KoRKlJ{C!KlHZ2iyna50f6gd6e;J=JDnym?s5K
zrJj~PQ+ihWhu$A8L)Js*hTVs6Jr92Vc!V?Z>d(|azmDd;pu8v@Qyps<Hy=Mc;W^Rw
za^=g>SHf2_lllLW{#WH|-Pfo8V*Yh&YQ@y(8_}EDw?*&d-_^aheBV7CIQ{HH@`ss^
z1)t<U)ql4A-18;;%h*ijSKQaKZ+hQ4zx#fFGMhX*D`bn<b6x<2v~XM;0B`F6phO^E
zp$`CJ*SrUwi-6{RJHlfBKIh^8ljnW%T)Z^^hq?d|TRI;m09Bg-&_Y;jL&a7wgb82^
zi^Ym4;*uI?VLk^CS%g@VPqVY{lmWnX0`N^VJ3CV~JNxZ0;?*Al(3LXpy~WX3DF8|o
zVZi;PJM#J5@E@Ch1F72O$<FdpwEzGB32;bRa{vGf6951U69E94oEQKA03=C7K~y*q
zW4!m|6$80|iCm2!eWRL54873+8x1gmAutjX2>=@-0@RJ`HGBX7002ovPDHLkV1j+)
BIe!2E

literal 0
HcmV?d00001

diff --git a/test/units/sprites/importer_test.rb b/test/units/sprites/importer_test.rb
index 04f95c8b..d25bff1e 100644
--- a/test/units/sprites/importer_test.rb
+++ b/test/units/sprites/importer_test.rb
@@ -46,4 +46,21 @@ class ImporterTest < Test::Unit::TestCase
     assert_equal 'bar', @importer.sass_options[:foo]
   end
   
+  test "should fail givin bad sprite extensions" do
+    @images_src_path = File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'sprites', 'public', 'images')
+    file = StringIO.new("images_path = #{@images_src_path.inspect}\n")
+    Compass.add_configuration(file, "sprite_config")
+    importer = Compass::SpriteImporter.new(:uri => 'bad_extensions/*.jpg', :options => options)
+    begin
+      importer.sass_engine
+      assert false, "Somthing happened an invalid sprite file made it past validation"
+    rescue Compass::Error => e
+      assert e.message.include?('.png')
+    end
+  end
+  
+  def taredown
+    Compass.reset_configuration!
+  end
+  
 end
\ No newline at end of file