Bug #11915
closed
File.read reading string starting with | executes it.
Added by yxhuvud (Linus Sellberg) almost 9 years ago.
Updated over 5 years ago.
Description
puts File.read "|/bin/ls"
[output of executing ls]
=> nil
This is quite surprising behaviour.
It is one thing that some of the .open methods actually can execute stuff, but a method named 'read' should not behave like that.
- Description updated (diff)
Linus Sellberg wrote:
It is one thing that some of the .open methods actually can execute stuff, but a method named 'read' should not behave like that.
File.open does not.
Some class methods of IO, e.g. IO.foreach and IO.read, deal with a pipeline.
Seems a documentation issue.
Nobuyoshi Nakada wrote:
Linus Sellberg wrote:
It is one thing that some of the .open methods actually can execute stuff, but a method named 'read' should not behave like that.
File.open does not.
But File.read DOES. Which is what I find wrong. That File.open doesn't is another reason to not have .read do that.
People should (hopefully) always read files with an absolute path prefix, but something like this could be surprising:
userinput = "|env"
Dir.chdir("/app/public/downloads") do
puts File.read(userinput)
end
(Yes, it's a contrived example.)
It makes sense if IO handles pipes, but File should probably mean real files.
- Status changed from Open to Closed
This was fixed in Ruby 2.6:
$ ruby26 -e 'File.read "|/bin/ls"'
Traceback (most recent call last):
1: from -e:1:in `<main>'
-e:1:in `read': No such file or directory @ rb_sysopen - |/bin/ls (Errno::ENOENT)
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0
Updated by 
Updated by 
Updated by 
Updated by