diff options
| author | shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-20 09:09:49 +0000 |
|---|---|---|
| committer | shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-20 09:09:49 +0000 |
| commit | 798316eac260e3cd683da2be23fef53ee64cee00 (patch) | |
| tree | 081afeacb9461d2e28caedb15d38dcc40d15d627 | |
| parent | ce848356aeafcb0cae6a74e6ff38f4cbc1f2142e (diff) | |
io.c: Methods of File should not invoke external commands
For security reasons, File.read, File.binread, File.write, File.binwrite,
File.foreach, and File.readlines should not invoke external commands even
if the path starts with the pipe character |.
[ruby-core:84495] [Feature #14245]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62857 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | io.c | 7 | ||||
| -rw-r--r-- | test/ruby/test_io.rb | 4 |
3 files changed, 9 insertions, 8 deletions
@@ -138,6 +138,12 @@ with all sufficient information, see the ChangeLog file or Redmine === Compatibility issues (excluding feature bug fixes) +* File + + * File.read, File.binread, File.write, File.binwrite, File.foreach, + and File.readlines do not invoke external commands even if the path + starts with the pipe character |. [Feature #14245] + === Stdlib compatibility issues (excluding feature bug fixes) === C API updates @@ -7113,12 +7113,7 @@ rb_io_open_generic(VALUE klass, VALUE filename, int oflags, int fmode, const convconfig_t *convconfig, mode_t perm) { VALUE cmd; - const int warn = klass == rb_cFile; - if ((warn || klass == rb_cIO) && !NIL_P(cmd = check_pipe_command(filename))) { - if (warn) { - rb_warn("IO.%"PRIsVALUE" called on File to invoke external command", - rb_id2str(rb_frame_this_func())); - } + if (klass == rb_cIO && !NIL_P(cmd = check_pipe_command(filename))) { return pipe_open_s(cmd, rb_io_oflags_modestr(oflags), fmode, convconfig); } else { diff --git a/test/ruby/test_io.rb b/test/ruby/test_io.rb index 7d7e198334..a271c9e677 100644 --- a/test/ruby/test_io.rb +++ b/test/ruby/test_io.rb @@ -2196,10 +2196,10 @@ class TestIO < Test::Unit::TestCase def test_read_command assert_equal("foo\n", IO.read("|echo foo")) - assert_warn(/invoke external command/) do + assert_raise(Errno::ENOENT, Errno::EINVAL) do File.read("|#{EnvUtil.rubybin} -e puts") end - assert_warn(/invoke external command/) do + assert_raise(Errno::ENOENT, Errno::EINVAL) do File.binread("|#{EnvUtil.rubybin} -e puts") end assert_raise(Errno::ENOENT, Errno::EINVAL) do |