From: "hsbt (Hiroshi SHIBATA) via ruby-core" <ruby-core@...>
Date: 2023-05-24T06:52:02+00:00
Subject: [ruby-core:113610] [Ruby master Feature#19630] [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues

Issue #19630 has been updated by hsbt (Hiroshi SHIBATA).


This proposal make sense to me. But I'm not sure how impact existing code for this incompatibility.

Do you have any deprecated process for this?

----------------------------------------
Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues
https://bugs.ruby-lang.org/issues/19630#change-103254

* Author: postmodern (Hal Brodigan)
* Status: Open
* Priority: Normal
----------------------------------------
`Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`.

[1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscription-rce-8a902d9afdd7
[2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits
[3]: https://blog.heroku.com/identifying-ruby-ftp-cve



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/