Project

General

Profile

Actions

Feature #19630

closed

[RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issues

Added by postmodern (Hal Brodigan) over 1 year ago. Updated over 1 year ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:113407]

Description

Kernel.open() is the source of numerous 1 security 2 issues 3, due to the fact that it can be used to execute commands if given a String argument of the form "|command-here". However, in most uses of Kernel.open() the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling Kernel.open() with a "|command-here" style arguments, with a warning message instructing the developer to use IO.popen() instead. Eventually, support for Kernel.open("|command-here") could be removed completely, in favor of having the developer explicitly call IO.popen() or URI.open().


Related issues 2 (0 open2 closed)

Related to Ruby master - Misc #15893: open-uri: URI.open statusClosedakr (Akira Tanaka)Actions
Related to Ruby master - Feature #19723: [RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() methodClosedActions
Actions

Also available in: Atom PDF

Like4
Like0Like1Like0Like0Like1Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like1Like0Like0Like1