Just be VERY VERY careful when using back-ticks or any other form of
Kernel.system().
For instance, since this is a Rails list, I assume you are using,
well, Rails. Suppose you want to pass the input from a form to a
subprocess. If you wrote:
book = params[:book]
cmd = "/usr/local/bin/doit #{book}"
Kernel.system(cmd)
you will have created a machine that will be "pwned" nearly instantly.
A safer, but still not 100% safe, method is to use an array:
cmd = [ "/usr/local/bin/doit", book ]
Kernel.system(*cmd)
Here are some examples of the differences:
=> "/bin/ls `foobar`"
>> Kernel.system(cmd)
sh: foobar: command not found <-------- NOTE! Security hole!
Compare to:
>> cmd = ["/bin/ls", "`foobar`" ]
=> ["/bin/ls", "`foobar`"]
>> Kernel.system(*cmd)
ls: `foobar`: No such file or directory <---- Note (good result)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
