search

davetron5000 / optparse-plus

Start your command line scripts off right in Ruby
http://davetron5000.github.com/optparse-plus
Apache License 2.0
521 stars 54 forks source link

methadone should support exec of arrays #44

Closed gchpaco closed 12 years ago

gchpaco commented 12 years ago

Kernel.exec of a string, and anything that calls that (open4, open3, or indirectly the JVM runtime execs) performs an additional layer of tokenization; usually this is done by the shell on Unix systems. It is not difficult to create a difficult to escape string that, when passed to a shell, will cause some sort of security escalation; as a simple example imagine running

sh "rm #{file}"

where file could, say, be equal to "-rf /".

To avoid problems like these, this patch permits users to use exec with an array argument, which is supported by every execution strategy methadone supports. This will not invoke the shell, and so in this case

sh "rm", file

would probably return "file '-rf /' not found".

This change should be backwards compatible.

davetron5000 commented 12 years ago

Thanks for doing this; this is a good call. I'll look into merging this tonight.

davetron5000 commented 12 years ago

Once the tests pass on CI; I'll release a new gem. Thanks again!