From: "postmodern (Hal Brodigan) via ruby-core" <ruby-core@...>
Date: 2023-05-06T00:14:33+00:00
Subject: [ruby-core:113409] [Ruby master Feature#19630] [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues

Issue #19630 has been updated by postmodern (Hal Brodigan).


A more complete list of the CVEs related to `Kernel.open`:

* CVE-2017-17405 (ruby, net-ftp)
* CVE-2017-17790 (ruby, resolv)
* CVE-2019-10780 (bibtex-ruby)
* CVE-2021-21289 (mechanize)
* CVE-2019-5477 (nokogiri)
* CVE-2021-31799 (rdoc)
* CVE-2019-5477 (rexical)

----------------------------------------
Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues
https://bugs.ruby-lang.org/issues/19630#change-102980

* Author: postmodern (Hal Brodigan)
* Status: Open
* Priority: Normal
----------------------------------------
`Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`.

[1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscription-rce-8a902d9afdd7
[2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits
[3]: https://blog.heroku.com/identifying-ruby-ftp-cve



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/