Eric Hodel
7/17/2007 8:25:00 AM
On Jul 17, 2007, at 01:18, Eric Hodel wrote:
> On Jul 16, 2007, at 22:51, Giles Bowkett wrote:
>> I've got a class which loads files and turns them into
>> ActiveRecord DB
>> rows. I'm converting images on a filesystem into blobs in a database.
>>
>> class ImageFile < ActiveRecord::Base
>> class << self
>> def import_from_hash(hash)
>> %w{medium square thumb lsquare lthumb tiny}.each do |suffix|
>> filename = "public/item/photos/" + hash[0..2] + "/" + hash +
>> "_#{suffix}.jpg"
>> if File.exists?(filename)
>> File.open(filename, "r") do |file|
>> image_file = ImageFile.new
>> eval ("image_file.#{suffix} = file.read")
>> end
>> end
>> end
>> end
>> end
>> end
>>
>> As you can see the whole thing depends massively on eval(). Yet I
>> think it's safe.
>
> echo 'system "rm -rf /"' > public/item/photos/XX/Y_medium.jpg
Hrm, sorry, no. Too tired to notice no #{} around file.read.
Still, far too dangerous, use #send instead.
--
Poor workers blame their tools. Good workers build better tools. The
best workers get their tools to do the work for them. -- Syndicate Wars