[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Kernel#open and security (was Re: command help

Rick DeNatale

10/5/2006 2:58:00 PM

On 10/5/06, Pit Capitain <pit@capitain.de> wrote:
> Tom Allison schrieb:
> >>> hostname = open("|hostname").gets
> >
> > What's with the pipe being at the wrong end?
> > What's the thinking behind that?
>
> You can find a short description in ri or the Pickaxe:
>
> C:\tmp>ri IO
> -------------------------------------------------------------- Class: IO
> Class +IO+ is the basis for all input and output in Ruby. An I/O
> stream may be _duplexed_ (that is, bidirectional), and so may use
> more than one native operating system stream.
>
> Many of the examples in this section use class +File+, the only
> standard subclass of +IO+. The two classes are closely associated.
>
> As used in this section, _portname_ may take any of the following
> forms.
>
> * A plain string represents a filename suitable for the
> underlying operating system.
>
> >>>>>
> * A string starting with ``+|+'' indicates a subprocess. The
> remainder of the string following the ``+|+'' is invoked as a
> process with appropriate input/output channels connected to it.
> >>>>>
>
> * A string equal to ``+|-+'' will create another Ruby instance as
> a subprocess.

Just a word of caution about using Kernel#open rather than File#open

Kernel#open interprets a path starting with "|" as a pipe, and
effectively calls IO#popen under the covers, while File#open doesn't.

Kernel open looks like another borrowing from perl, whose standard
open function acts this way. Although Ruby has borrowed a lot of good
things from perl, I'm not sure that this is one of them.

This is dangerous if the path argument is coming from a user, say in a
web application, because it opens a security exposure. There have
been several exploits of web applications written in perl which take
advantage of perl's open function. Awstats is a popular application
for showing web server statistics which is written in perl. It's had
several nasty security bugs because it wasn't verifying urls and the
nasties were doing things which exploited that like getting it to
'pipe' to wget to download worms.

When I first came across Ruby's File#open I was happy to see that IT
just treats the name argument as a file path, and chokes if it starts
with a "|".

I think that it's generally better practice in ruby to eschew
Kernel#open and use either File#open to open files, and IO#popen to
open pipes so that it's clear what's happening.

While the Kernel#open method might be convenient and safe in
controlled cases, it seems like it might be the basis of a bad habit
when it matters.

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denh...
2 Answers

ts

10/5/2006 3:49:00 PM

0

>>>>> "R" == Rick DeNatale <rick.denatale@gmail.com> writes:

R> This is dangerous if the path argument is coming from a user, say in a
R> web application, because it opens a security exposure. There have

Well not really if ruby run with $SAFE > 0, because in this case it will
give an error

moulon% ruby -e '$SAFE = 1; a = "aa".taint; open(a)'
-e:1:in `initialize': Insecure operation - initialize (SecurityError)
from -e:1
moulon%


R> been several exploits of web applications written in perl which take
R> advantage of perl's open function.

Perhaps there is an incompatibility between "web applications" and
"security" ...


Guy Decoux

Ara.T.Howard

10/5/2006 4:19:00 PM

0