Proposal to deprecate "|command-here" inputs for Kernel.open() accepted
Open link in next tab
Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issues - Ruby master - Ruby Issue Tracking System
https://bugs.ruby-lang.org/issues/19630
Redmine
Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level Kernel.open()
method, which not only accepts paths or URIs (if open-uri
has been loaded), but also "|command-here"
commands which are then opened using IO.popen()
resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a "|command-here"
input is given to Kernel.open()
. Hopefully, in Ruby 4.0 this insecure feature will be removed.