Asp Forum - [BUG] system() isn't safe on win32

Florian Gross

10/29/2003 7:39:00 PM

Moin!

This ruby one-liner

ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
in safe mode.'"

produces this scary result:

ruby 1.8.0 (2003-08-04) [i386-mswin32]
Was able to run an arbitrary command in safe mode.

IMHO this effectively disables all the security which $SAFE ought to
give you and should be fixed in the ruby interpreter.

However it can also be fixed without patching ruby with a few simple
lines of ruby code so you can patch existing applications as soon as
possible:

kernel_meta = class << Kernel; self; end
[kernel_meta, Object].each { |c| c.module_eval {
old_system = instance_method(:system)
define_method(:system) { |*args|
raise(SecurityError, "I'm afraid I can't do that, Dave") if $SAFE > 1
old_system.bind(self).call(*args)
}
}

Regards,
Florian Gross

5 Answers

matz

10/30/2003 12:28:00 AM

Hi,

In message "[BUG] system() isn't safe on win32"
on 03/10/30, Florian Gross <flgr@ccan.de> writes:

|This ruby one-liner
|
| ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
| in safe mode.'"
|
|produces this scary result:
|
| ruby 1.8.0 (2003-08-04) [i386-mswin32]
| Was able to run an arbitrary command in safe mode.
|
|IMHO this effectively disables all the security which $SAFE ought to
|give you and should be fixed in the ruby interpreter.

It shouldn't happen. Does anyone confirm this?

How did you invoke ruby? From cmd.exe or Cygwin bash?
The only reasonable explanation I can think of now is:

using bash (or any other UNIXish shell)
have environment variables named SAFE,
which value looks like valid identifier

In this case,

ruby -ve '$SAFE = 5; system "echo Was able to run an arbitrary command in safe mode."'

(note exchanged ' and ") should work. But there might be other reasons.

matz.

U.Nakamura

10/30/2003 12:43:00 AM

Hello,

In message "Re: [BUG] system() isn't safe on win32"
on Oct.30,2003 09:28:09, <matz@ruby-lang.org> wrote:
| |This ruby one-liner
| |
| | ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
| | in safe mode.'"
| |
| |produces this scary result:
| |
| | ruby 1.8.0 (2003-08-04) [i386-mswin32]
| | Was able to run an arbitrary command in safe mode.
| |
| |IMHO this effectively disables all the security which $SAFE ought to
| |give you and should be fixed in the ruby interpreter.
|
| It shouldn't happen. Does anyone confirm this?

It's bug of mswin32 (and mingw32, bccwin32). Sorry.
I've fixed it on CVS.

Regards,
--
U.Nakamura <usa@osb.att.ne.jp>

David Garamond

10/30/2003 7:20:00 AM

Yukihiro Matsumoto wrote:
> | ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
> | in safe mode.'"
> |
> |produces this scary result:
> |
> | ruby 1.8.0 (2003-08-04) [i386-mswin32]
> | Was able to run an arbitrary command in safe mode.
>
> It shouldn't happen. Does anyone confirm this?

Yes, same output here. Ruby 1.8.0 (mswin32), CMD.EXE, Win2k+SP2. Also
same output regardless of $SAFE is 3, 4, 5. $SAFE >= 3 correctly forbids
system() on my Linux box.

Haven't tried the cygwin version though.

--
dave

Robert Klemme

10/30/2003 8:50:00 AM

"David Garamond" <lists@zara.6.isreserved.com> schrieb im Newsbeitrag
news:3FA0BB8D.2090204@zara.6.isreserved.com...
> Yukihiro Matsumoto wrote:
> > | ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary
command
> > | in safe mode.'"
> > |
> > |produces this scary result:
> > |
> > | ruby 1.8.0 (2003-08-04) [i386-mswin32]
> > | Was able to run an arbitrary command in safe mode.
> >
> > It shouldn't happen. Does anyone confirm this?
>
> Yes, same output here. Ruby 1.8.0 (mswin32), CMD.EXE, Win2k+SP2. Also
> same output regardless of $SAFE is 3, 4, 5. $SAFE >= 3 correctly forbids
> system() on my Linux box.
>
> Haven't tried the cygwin version though.

That is ok:

09:49:27 [w]: ruby -ve '$SAFE = 5; system "echo Was able to run"'
ruby 1.8.0 (2003-08-04) [i386-cygwin]
-e:1:in `system': Insecure operation - system (SecurityError)
from -e:1
09:49:43 [w]:

robert

baldeagle

12/25/2008 2:57:00 PM

On Dec 25, 9:34 pm, "truth" <tr...@universe.com> wrote:

>
> Everyday and every minute is time for peace and goodwill.
> Why must it be confined to special days ?
>

All you life, have you ever shown goodwill ...
to Singapore and Singaporeans ?

comp.lang.ruby