[RFC] Deprecate `URI.open("|command-here")` due to security issues
Closed this issue · 2 comments
I believe that URI.open()
should not accept "|command"
style arguments (ex: URI.open("|ls")
). I understand that URI.open()
builds upon Kernel.open()
, which does accept "|command"
style arguments, however "|command-here"
is not a valid URI and thus should not be accepted by URI.open()
. This would also help close a common vulnerability code path where developers pass arbitrary user input to URI.open()
assuming that only valid URIs will be passed to it, but an attacker can achieve Remote Command Execution by passing in |evil-command-here
instead of a https://
URI.
This could be deprecated with a warning at first, then removed entirely in Ruby 4.0.0.
This could be implemented by adding a warn
deprecation message for any arguments that do not respond to open
nor match the URI scheme regexp:
Lines 26 to 32 in fa828d9
Or if we wanted to move forward with not allowing URI.open("|command")
entirely, we could parse all parse all URIs using URI.parse
or URI()
and always call .open
on them.
def self.open(uri,*rest,&block)
uri = URI(uri)
uri.open(*rest,&block)
end
This is resolved by ruby/ruby#7915