jyurek
commented
11 years ago Can you email me outside this list and explain the problem? My email is my username at thoughtbot.com
Closed apeiros closed 11 years ago
jyurek
commented
11 years ago Can you email me outside this list and explain the problem? My email is my username at thoughtbot.com
jyurek
commented
11 years ago Please let me know about this issue privately. I'm going to close this issue on Friday if you cannot provide me with an example case. Thanks.
jyurek
commented
11 years ago I'm closing this for lack of example. If it's actually a problem, please let me know what is exploitable so we can fix it.
shell_quote as it is now is broken and can be exploited. I strongly suggest that you at the very least use shellwords from stdlib, which does the same job a lot better. But even better would be if you use one of the spawning methods which bypass the shell entirely. See Kernel#spawn for 1.9 and IO.popen for 1.8. Those accept forms where you can pass arguments individually, which means no escaping is needed at all.