Proposal to deprecate "|command-here" inputs for Kernel.open() accepted(bugs.ruby-lang.org)

posted 1 year ago

Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level Kernel.open() method, which not only accepts paths or URIs (if open-uri has been loaded), but also "|command-here" commands which are then opened using IO.popen() resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a "|command-here" input is given to Kernel.open(). Hopefully, in Ruby 4.0 this insecure feature will be removed.

Sort:

Hot Top Controversial New Old

[ - ]

Glarrf@midwest.social

2 points

1 year ago

I’m glad security is getting some good efforts!

permalink

report

Ruby

!ruby@programming.dev

Create post

A community for discussion and news about Ruby programming.

Learning Ruby?

Try Ruby in your browser

Tools

Ruby Version Manager (RVM) Install, manage and work with multiple Ruby environments. adsf is an increasingly popular option too.
rbenv Groom your app’s Ruby environment with rbenv.
Looking for new gems? ruby-toolbox
Install Ruby on macOS

Documentation

Ruby API or Ruby Doc
YARD docs via rubydoc.info YARD Documentation Server

Books

Screencasts

News and updates

Ruby news in a weekly email from Ruby Weekly
‘Planet’ of Ruby blogs at rubyland.news
Ruby tweets at @RubyInside

Community stats

5
Monthly active users
72
Posts
55
Comments