Kernel#open and security (was Re: command help)

On 10/5/06, Pit C. [email protected] wrote:

  Class +IO+ is the basis for all input and output in Ruby. An I/O
      underlying operating system.
  *   A string starting with ``+|+'' indicates a subprocess. The
      remainder of the string following the ``+|+'' is invoked as a
      process with appropriate input/output channels connected to it.
  *   A string equal to ``+|-+'' will create another Ruby instance as
      a subprocess.

Just a word of caution about using Kernel#open rather than File#open

Kernel#open interprets a path starting with “|” as a pipe, and
effectively calls IO#popen under the covers, while File#open doesn’t.

Kernel open looks like another borrowing from perl, whose standard
open function acts this way. Although Ruby has borrowed a lot of good
things from perl, I’m not sure that this is one of them.

This is dangerous if the path argument is coming from a user, say in a
web application, because it opens a security exposure. There have
been several exploits of web applications written in perl which take
advantage of perl’s open function. Awstats is a popular application
for showing web server statistics which is written in perl. It’s had
several nasty security bugs because it wasn’t verifying urls and the
nasties were doing things which exploited that like getting it to
‘pipe’ to wget to download worms.

When I first came across Ruby’s File#open I was happy to see that IT
just treats the name argument as a file path, and chokes if it starts
with a “|”.

I think that it’s generally better practice in ruby to eschew
Kernel#open and use either File#open to open files, and IO#popen to
open pipes so that it’s clear what’s happening.

While the Kernel#open method might be convenient and safe in
controlled cases, it seems like it might be the basis of a bad habit
when it matters.


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

“R” == Rick DeNatale [email protected] writes:

R> This is dangerous if the path argument is coming from a user, say in
a
R> web application, because it opens a security exposure. There have

Well not really if ruby run with $SAFE > 0, because in this case it
will
give an error

moulon% ruby -e ‘$SAFE = 1; a = “aa”.taint; open(a)’
-e:1:in `initialize’: Insecure operation - initialize (SecurityError)
from -e:1
moulon%

R> been several exploits of web applications written in perl which take
R> advantage of perl’s open function.

Perhaps there is an incompatibility between “web applications” and
“security” …

Guy Decoux

On Fri, 6 Oct 2006, ts wrote:

Perhaps there is an incompatibility between “web applications” and
“security” …

i love that.

-a

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs