From: "mdalessio (Mike Dalessio) via ruby-core" Date: 2023-06-11T16:18:14+00:00 Subject: [ruby-core:113872] [Ruby master Feature#19723] [RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() method Issue #19723 has been updated by mdalessio (Mike Dalessio). I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from `Kernel#open` (called by `URI.open` in the fall-through case). If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would _also_ deprecate this behavior in `URI.open`. ---------------------------------------- Feature #19723: [RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() method https://bugs.ruby-lang.org/issues/19723#change-103520 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- Due to `Kernel.open()` supporting opening pipe-commands (ex: `"|command-here..."`) this has led to multiple [1] security [2] vulnerabilities [3], where malicious user-input eventually is passed to `Kernel.open()`. One of the code-paths that malicious user-input can reach `Kernel.open()` is via open-uri's `URI.open()` method. RuboCop even recommends avoiding using `URI.open()` in favor of `uri = URI.parse(...); uri.open` to avoid accidentally opening malicious `"|command..."` inputs. I propose that `URI.open()` should not accept pipe-commands, as they are neither URIs nor files. One could even argue that `URI.open()` should only accept URIs and never fallback to `Kernel.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscription-rce-8a902d9afdd7 [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/