Ruby

534 readers

1 users here now

A community for discussion and news about Ruby programming.

Learning Ruby?

Try Ruby in your browser

Tools

Ruby Version Manager (RVM) Install, manage and work with multiple Ruby environments. adsf is an increasingly popular option too.
rbenv Groom your app’s Ruby environment with rbenv.
Looking for new gems? ruby-toolbox
Install Ruby on macOS

Documentation

Ruby API or Ruby Doc
YARD docs via rubydoc.info YARD Documentation Server

Books

Screencasts

News and updates

Ruby news in a weekly email from Ruby Weekly
'Planet' of Ruby blogs at rubyland.news
Ruby tweets at @RubyInside

founded 1 year ago

MODERATORS

snowe

erlingur

Proposal to deprecate "|command-here" inputs for Kernel.open() accepted (bugs.ruby-lang.org)

submitted 1 year ago by postmodern to c/ruby

1 comments fedilink hide all child comments

Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level Kernel.open() method, which not only accepts paths or URIs (if open-uri has been loaded), but also "|command-here" commands which are then opened using IO.popen() resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a "|command-here" input is given to Kernel.open(). Hopefully, in Ruby 4.0 this insecure feature will be removed.

top 1 comments

sorted by: hot top controversial new old

[–] [email protected] 2 points 1 year ago

I'm glad security is getting some good efforts!