Danger Will Robinson

Rick DeNatale — Thu, 05 Oct 2006 11:23:00 -0400

Ruby has a nifty method in kernel called open. It’s quite powerful in the way it interprets its first argument, a string telling it what to open. It can open a file, or it can open a pipe to a sub-process it creates to run a command in that string. It takes quite a bit of open function has a similar interpretation of it’s first argument. Again it takes quite a bit of documentation to describe.

Which is a cause for concern. Most things that powerful can be misused.

I use an application called Awstats to get statistics on my websites. Awstats is a very popular application which is written in perl.

But I long ago disallowed access to Awstats from the outsite world after I found that my system had been compromised by a bad guy exploiting perl’s open function.

Kernel#open, like perl’s open interprets a path starting with ”|” as a pipe, and effectively calls IO#popen under the covers, while File#open doesn’t.

This is dangerous if the path argument is coming from a user, say in a web application, because it opens the same security exposure which plagued Awstats, which has had several nasty security bugs because it wasn’t verifying urls and the nasties were doing things which exploited that like getting it to ‘pipe’ to wget to download worms.

When I first came across Ruby’s File#open I was happy to see that IT just treats the name argument as a file path, and chokes if it starts with a ”|”, and that there was IO#popen which explicitly opens pipes to a command running in a subprocess.

I think that it’s generally better practice in ruby to eschew Kernel#open and use either File#open to open files, and IO#popen to open pipes so that it’s clear what’s happening.

While the Kernel#open method might be convenient and safe in controlled cases, it seems like it might be the basis of a bad habit when it matters.

Talk Like A Duck: Danger Will Robinson

Danger Will Robinson