On 10/5/06, Pit C. [email protected] wrote:
Class +IO+ is the basis for all input and output in Ruby. An I/O underlying operating system.* A string starting with ``+|+'' indicates a subprocess. The remainder of the string following the ``+|+'' is invoked as a process with appropriate input/output channels connected to it.* A string equal to ``+|-+'' will create another Ruby instance as a subprocess.
Just a word of caution about using Kernel#open rather than File#open
Kernel#open interprets a path starting with “|” as a pipe, and
effectively calls IO#popen under the covers, while File#open doesn’t.
Kernel open looks like another borrowing from perl, whose standard
open function acts this way. Although Ruby has borrowed a lot of good
things from perl, I’m not sure that this is one of them.
This is dangerous if the path argument is coming from a user, say in a
web application, because it opens a security exposure. There have
been several exploits of web applications written in perl which take
advantage of perl’s open function. Awstats is a popular application
for showing web server statistics which is written in perl. It’s had
several nasty security bugs because it wasn’t verifying urls and the
nasties were doing things which exploited that like getting it to
‘pipe’ to wget to download worms.
When I first came across Ruby’s File#open I was happy to see that IT
just treats the name argument as a file path, and chokes if it starts
with a “|”.
I think that it’s generally better practice in ruby to eschew
Kernel#open and use either File#open to open files, and IO#popen to
open pipes so that it’s clear what’s happening.
While the Kernel#open method might be convenient and safe in
controlled cases, it seems like it might be the basis of a bad habit
when it matters.
–
Rick DeNatale
My blog on Ruby
http://talklikeaduck.denhaven2.com/