[BUG] system() isn't safe on win32

[Florian Gross]

Moin!

This ruby one-liner

ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
in safe mode.'"

produces this scary result:

ruby 1.8.0 (2003-08-04) [i386-mswin32]
Was able to run an arbitrary command in safe mode.

IMHO this effectively disables all the security which $SAFE ought to
give you and should be fixed in the ruby interpreter.

However it can also be fixed without patching ruby with a few simple
lines of ruby code so you can patch existing applications as soon as
possible:

kernel_meta = class << Kernel; self; end
[kernel_meta, Object].each { |c| c.module_eval {
old_system = instance_methodsystem)
define_methodsystem) { |*args|
raise(SecurityError, "I'm afraid I can't do that, Dave") \
if $SAFE > 1
old_system.bind(self).call(*args)
}
}

Regards,
Florian Gross

 

[Yukihiro Matsumoto]

Hi,

In message "[BUG] system() isn't safe on win32"

|This ruby one-liner
|
| ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
| in safe mode.'"
|
|produces this scary result:
|
| ruby 1.8.0 (2003-08-04) [i386-mswin32]
| Was able to run an arbitrary command in safe mode.
|
|IMHO this effectively disables all the security which $SAFE ought to
|give you and should be fixed in the ruby interpreter.

It shouldn't happen. Does anyone confirm this?

How did you invoke ruby? From cmd.exe or Cygwin bash?
The only reasonable explanation I can think of now is:

using bash (or any other UNIXish shell)
have environment variables named SAFE,
which value looks like valid identifier

In this case,

ruby -ve '$SAFE = 5; system "echo Was able to run an arbitrary command in safe mode."'

(note exchanged ' and ") should work. But there might be other reasons.

matz.

 

[U.Nakamura]

Hello,

In message "Re: [BUG] system() isn't safe on win32"
| |This ruby one-liner
| |
| | ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
| | in safe mode.'"
| |
| |produces this scary result:
| |
| | ruby 1.8.0 (2003-08-04) [i386-mswin32]
| | Was able to run an arbitrary command in safe mode.
| |
| |IMHO this effectively disables all the security which $SAFE ought to
| |give you and should be fixed in the ruby interpreter.
|
| It shouldn't happen. Does anyone confirm this?

It's bug of mswin32 (and mingw32, bccwin32). Sorry.
I've fixed it on CVS.


Regards,

 

[David Garamond]

| ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
| in safe mode.'"
|
|produces this scary result:
|
| ruby 1.8.0 (2003-08-04) [i386-mswin32]
| Was able to run an arbitrary command in safe mode.

It shouldn't happen. Does anyone confirm this?

Yes, same output here. Ruby 1.8.0 (mswin32), CMD.EXE, Win2k+SP2. Also
same output regardless of $SAFE is 3, 4, 5. $SAFE >= 3 correctly forbids
system() on my Linux box.

Haven't tried the cygwin version though.

 

[Robert Klemme]

| ruby -ve "$SAFE = 5; system 'echo Was able to run an arbitrary command
| in safe mode.'"
|
|produces this scary result:
|
| ruby 1.8.0 (2003-08-04) [i386-mswin32]
| Was able to run an arbitrary command in safe mode.

It shouldn't happen. Does anyone confirm this?

Yes, same output here. Ruby 1.8.0 (mswin32), CMD.EXE, Win2k+SP2. Also
same output regardless of $SAFE is 3, 4, 5. $SAFE >= 3 correctly forbids
system() on my Linux box.

Haven't tried the cygwin version though.

That is ok:

09:49:27 [w]: ruby -ve '$SAFE = 5; system "echo Was able to run"'
ruby 1.8.0 (2003-08-04) [i386-cygwin]
-e:1:in `system': Insecure operation - system (SecurityError)
from -e:1
09:49:43 [w]:

robert