Hi,

I just noticed this:

09:57:58 ~$ allruby /c/Temp/d.rb
CYGWIN_NT-5.1 padrklemme2 1.7.7(0.230/5/3) 2010-08-31 09:58 i686 Cygwin

ruby 1.8.7 (2008-08-11 patchlevel 72) [i386-cygwin]
“line 1\nline 2\n”
“\np DATA.read\nDATA.seek 0\np DATA.read\n\n__END__\nline 1\nline 2\n”

ruby 1.9.2p136 (2010-12-25 revision 30365) [i386-cygwin]
“line 1\nline 2\n”
“\np DATA.read\nDATA.seek 0\np DATA.read\n\n__END__\nline 1\nline 2\n”

jruby 1.4.0 (ruby 1.8.7 patchlevel 174) (2009-11-02 69fbfa3) (Java
HotSpot™ Client VM 1.6.0_23) [x86-java]
“line 1\nline 2\n”
“”
09:58:31 ~$ cat /c/Temp/d.rb

p DATA.read
DATA.seek 0
p DATA.read

END
line 1
line 2
09:58:37 ~$

In other words, I can read what’s before END if I simply seek.
IMHO that is a bad thing and may even be used for attacks.

Btw, I stumbled across this by doing this:

10:01:24 ~$ ruby19 /c/Temp/dd.rb
[“require ‘csv’”]
[]
[“CSV.foreach DATA do |rec|”]
[" p rec"]
[“end”]
[]
[“END”]
[“line 1”]
[“line 2”]
10:01:33 ~$ cat /c/Temp/dd.rb
require ‘csv’

CSV.foreach DATA do |rec|
p rec
end

END
line 1
line 2
10:01:37 ~$

Maybe it’s not such a good idea for CSV.foreach to seek to 0 before
starting to read. As a user of CSV I would always want it to start
off where the IO currently points to. James, what do you think?

Kind regards

robert

(2011/01/11 18:03), Robert K. wrote:

I just noticed this:

This is a spec Ruby inherited from Perl. If you know
any known attacks involving this, let us know.

On Tue, Jan 11, 2011 at 10:11 AM, Urabe S.
[email protected] wrote:

(2011/01/11 18:03), Robert K. wrote:

I just noticed this:

This is a spec Ruby inherited from Perl.

Ah, I wasn’t aware of this. So then CSV.foreach should probably
refrain from seeking.

If you know any known attacks involving this, let us know.

No concrete one yet.

Kind regards

robert

On 11 Jan 2011, at 09:03, Robert K. wrote:

In other words, I can read what’s before END if I simply seek.
IMHO that is a bad thing and may even be used for attacks.

I’ve written a script in the past that (ab)used that to use DATA as a
small datastore, rather than writing out to a separate data file. I had
to write out the entire file though, including the source code, so being
able to just seek back to 0 and read from there was helpful for writing
the script.

C

Caius D.
[email protected]
+44 (0) 7960 268 100
http://caius.name/

On Jan 11, 2011, at 4:55 AM, Caius D. wrote:

On 11 Jan 2011, at 09:03, Robert K. wrote:

In other words, I can read what’s before END if I simply seek.
IMHO that is a bad thing and may even be used for attacks.

I love the feature. It’s one of those fun things to abuse.

I’ve written a script in the past that (ab)used that to use DATA as a small
datastore

I’ve done that too.

rather than writing out to a separate data file. I had to write out the entire
file though, including the source code

You don’t have to rewrite the code, if you are careful:

#!/usr/bin/env ruby -wKU

pos = DATA.pos # memorize position after END

do whatever

count = DATA.read.to_i
puts “Count: #{count}”
count += 1

DATA.reopen(FILE, “a+”) # turn on writing mode
DATA.truncate(pos) # remove the DATA section
DATA.puts count # update DATA

END
0

James Edward G. II