From 8116a17cb135ce4ebc7b54747b63c94625eac48b Mon Sep 17 00:00:00 2001
From: jammy <jammy@loves.shib.es>
Date: Fri, 8 May 2020 17:39:24 +0200
Subject: [PATCH] Fix command injection vulnerability

---
 rsync.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rsync.js b/rsync.js
index a8a7d73..725757b 100644
--- a/rsync.js
+++ b/rsync.js
@@ -499,11 +499,11 @@ Rsync.prototype.execute = function(callback, stdoutHandler, stderrHandler) {
     // see https://github.com/joyent/node/blob/937e2e351b2450cf1e9c4d8b3e1a4e2a2def58bb/lib/child_process.js#L589
     var cmdProc;
     if ('win32' === process.platform) {
-        cmdProc = spawn('cmd.exe', ['/s', '/c', '"' + this.command() + '"'],
+        cmdProc = spawn(this.executable(), this.args(),
                         { stdio: 'pipe', windowsVerbatimArguments: true, cwd: this._cwd, env: this._env });
     }
     else {
-        cmdProc = spawn(this._executableShell, ['-c', this.command()],
+        cmdProc = spawn(this.executable(), this.args(),
                         { stdio: 'pipe', cwd: this._cwd, env: this._env });
     }