Project

General

Profile

Actions
Copy link

Feature #19723

closed

[RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() method

Feature #19723: [RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() method

Added by postmodern (Hal Brodigan) over 2 years ago. Updated over 2 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:113864]

Description

Due to Kernel.open() supporting opening pipe-commands (ex: "|command-here...") this has led to multiple 1 security 2 vulnerabilities 3, where malicious user-input eventually is passed to Kernel.open(). One of the code-paths that malicious user-input can reach Kernel.open() is via open-uri's URI.open() method. RuboCop even recommends avoiding using URI.open() in favor of uri = URI.parse(...); uri.open to avoid accidentally opening malicious "|command..." inputs. I propose that URI.open() should not accept pipe-commands, as they are neither URIs nor files. One could even argue that URI.open() should only accept URIs and never fallback to Kernel.open().

Related issues 1 (0 open1 closed)

Related to Ruby - Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issuesClosedActions
Actions
Copy link

Also available in: PDF Atom