From: andrew@...
Date: 2016-01-30T06:24:22+00:00
Subject: [ruby-core:73597] [Ruby trunk - Bug #11915] File.read reading string starting with | executes it.

Issue #11915 has been updated by Andrew Vit.


People should (hopefully) always read files with an absolute path prefix, but something like this could be surprising:

~~~
userinput = "|env"

Dir.chdir("/app/public/downloads") do
  puts File.read(userinput)
end
~~~

(Yes, it's a contrived example.)

It makes sense if IO handles pipes, but File should probably mean *real* files.

----------------------------------------
Bug #11915: File.read reading string starting with | executes it.
https://bugs.ruby-lang.org/issues/11915#change-56793

* Author: Linus Sellberg
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 2.1.5p273
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN
----------------------------------------
```ruby
puts File.read "|/bin/ls"
[output of executing ls]
=> nil
```
This is quite surprising behaviour.

It is one thing that some of the `.open` methods actually can execute stuff, but a method named 'read' should not behave like that.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>