[RFC] Deprecate `URI.open("|command-here")` due to security issues

I believe that URI.open() should not accept "|command" style arguments (ex: URI.open("|ls")). I understand that URI.open() builds upon Kernel.open(), which does accept "|command" style arguments, however "|command-here" is not a valid URI and thus should not be accepted by URI.open(). This would also help close a common vulnerability code path where developers pass arbitrary user input to URI.open() assuming that only valid URIs will be passed to it, but an attacker can achieve Remote Command Execution by passing in |evil-command-here instead of a https:// URI.

This could be deprecated with a warning at first, then removed entirely in Ruby 4.0.0.

This could be implemented by adding a warn deprecation message for any arguments that do not respond to open nor match the URI scheme regexp:

open-uri/lib/open-uri.rb

Lines 26 to 32 in fa828d9

    
           elsif name.respond_to?(:to_str) && 
        
                 %r{\A[A-Za-z][A-Za-z0-9+\-\.]*://} =~ name && 
        
                 (uri = URI.parse(name)).respond_to?(:open) 
        
             uri.open(*rest, &block) 
        
           else 
        
             super 
        
           end

Or if we wanted to move forward with not allowing URI.open("|command") entirely, we could parse all parse all URIs using URI.parse or URI() and always call .open on them.

def self.open(uri,*rest,&block)
  uri = URI(uri)
  uri.open(*rest,&block)
end

This is resolved by ruby/ruby#7915

	elsif name.respond_to?(:to_str) &&
	%r{\A[A-Za-z][A-Za-z0-9+\-\.]*://} =~ name &&
	(uri = URI.parse(name)).respond_to?(:open)
	uri.open(*rest, &block)
	else
	super
	end