search

inukshuk / bibtex-ruby

A BibTeX library, parser, and converter for Ruby.
http://inukshuk.github.com/bibtex-ruby
GNU General Public License v3.0
156 stars 31 forks source link

BibTeX.open(file) cannot handle remote files #142

Closed etc closed 4 years ago

etc commented 4 years ago

I think this is a problem with bibtex-ruby, but may be mistaken. It used to be possible to pass a file specified using a URI to BibTeX.open(file). But in at least the latest version of bibtex-ruby, this is not possible—you get a “No such file or directory” error. It seems as if open-uri is the normal way to handle this. Would be great to reintroduce this feature, as some of my code relies on it!

inukshuk commented 4 years ago

You're right, we used Kernel.open in the past for maximum compatibility, but this caused CVEs being opened against this Gem, because this method allows for command injection (e.g. if you append | cat /etc/passwd). Personally, I think its debatable whether this merits a CVE, but instead of validating user input (and how? It's easy to think of legitimate users of command injection -- a BibTeX library is not a good place to make a call there) I decided the best option was to just open from the file system directly.

Bibliography.open just opens the file and passes it on to parse so you can just use Kernel.open and pass on the contents to parse to get the old behavior back.

etc commented 4 years ago

I see, thanks! The easiest solution for me seems to be to replace code like:

BibTeX.open(file)

With code like:

BibTeX.open(URI.open(file))

As for example here (where the relevant call is just passed along to bibtex-ruby).