Michael Graff wrote:
> Just be VERY VERY careful when using back-ticks or any other form of
> Kernel.system().
>
> For instance, since this is a Rails list, I assume you are using,
> well, Rails. Suppose you want to pass the input from a form to a
> subprocess. If you wrote:
>
> book = params[:book]
> cmd = "/usr/local/bin/doit #{book}"
> Kernel.system(cmd)
>
> you will have created a machine that will be "pwned" nearly instantly.
>
> A safer, but still not 100% safe, method is to use an array:
>
> cmd = [ "/usr/local/bin/doit", book ]
> Kernel.system(*cmd)
>
> Here are some examples of the differences:
>
> => "/bin/ls `foobar`"
>>> Kernel.system(cmd)
> sh: foobar: command not found <-------- NOTE! Security hole!
>
> Compare to:
>
>>> cmd = ["/bin/ls", "`foobar`" ]
> => ["/bin/ls", "`foobar`"]
>>> Kernel.system(*cmd)
> ls: `foobar`: No such file or directory <---- Note (good result)
Hi,
Michael, Thanks for the inputs. You are right I am using it within
rails. I dont intend to execute any system commands like ls etc. I would
want to execute ruby script only, like calling some methods, some print
commands and some control structures.
Does kernel.system calls not need a new thread and is it handled in
rails? Also how about using load or popen3? Dont these have any way of
redirecting the output to a file? I am asking a lot of questions but I
am still not clear which is the best method to use for executing the
ruby scripts.
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
