Infosec.Pub

4,628 readers
143 users here now

To support infosec.pub, please consider donating through one of the following services:

Paypal: jerry@infosec.exchange

Ko-Fi: https://ko-fi.com/infosecexchange

Patreon: https://www.patreon.com/infosecexchange

founded 2 years ago
ADMINS
jerry
shellsharks
modbot
listing: all - local
search
1
1
Proposal to deprecate "|command-here" inputs for Kernel.open() accepted (bugs.ruby-lang.org)
 
 

Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level Kernel.open() method, which not only accepts paths or URIs (if open-uri has been loaded), but also "|command-here" commands which are then opened using IO.popen() resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a "|command-here" input is given to Kernel.open(). Hopefully, in Ruby 4.0 this insecure feature will be removed.

2
2
Proposal to deprecate "|command-here" inputs for Kernel.open() accepted (bugs.ruby-lang.org)
submitted 2 years ago* (last edited 2 years ago) by postmodern to c/ruby_infosec
0 comments fedilink
 
 

Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level Kernel.open() method, which not only accepts paths or URIs (if open-uri has been loaded), but also "|command-here" commands which are then opened using IO.popen() resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a "|command-here" input is given to Kernel.open(). Hopefully, in Ruby 4.0 this insecure feature will be removed.

view more: next ›