DATA.seek allows to read file

[Robert Klemme]

Hi,

I just noticed this:

09:57:58 ~$ allruby /c/Temp/d.rb
CYGWIN_NT-5.1 padrklemme2 1.7.7(0.230/5/3) 2010-08-31 09:58 i686 Cygwin
========================================
ruby 1.8.7 (2008-08-11 patchlevel 72) [i386-cygwin]
"line 1\nline 2\n"
"\np DATA.read\nDATA.seek 0\np DATA.read\n\n__END__\nline 1\nline 2\n"
========================================
ruby 1.9.2p136 (2010-12-25 revision 30365) [i386-cygwin]
"line 1\nline 2\n"
"\np DATA.read\nDATA.seek 0\np DATA.read\n\n__END__\nline 1\nline 2\n"
========================================
jruby 1.4.0 (ruby 1.8.7 patchlevel 174) (2009-11-02 69fbfa3) (Java
HotSpot(TM) Client VM 1.6.0_23) [x86-java]
"line 1\nline 2\n"
""
09:58:31 ~$ cat /c/Temp/d.rb

p DATA.read
DATA.seek 0
p DATA.read

__END__
line 1
line 2
09:58:37 ~$

In other words, I can read what's before __END__ if I simply seek.
IMHO that is a bad thing and may even be used for attacks.

Btw, I stumbled across this by doing this:

10:01:24 ~$ ruby19 /c/Temp/dd.rb
["require 'csv'"]
[]
["CSV.foreach DATA do |rec|"]
[" p rec"]
["end"]
[]
["__END__"]
["line 1"]
["line 2"]
10:01:33 ~$ cat /c/Temp/dd.rb
require 'csv'

CSV.foreach DATA do |rec|
p rec
end

__END__
line 1
line 2
10:01:37 ~$

Maybe it's not such a good idea for CSV.foreach to seek to 0 before
starting to read. As a user of CSV I would always want it to start
off where the IO currently points to. James, what do you think?

Kind regards

robert

 

[Caius Durling]

In other words, I can read what's before __END__ if I simply seek.
IMHO that is a bad thing and may even be used for attacks.

I've written a script in the past that (ab)used that to use DATA as a =
small datastore, rather than writing out to a separate data file. I had =
to write out the entire file though, including the source code, so being =
able to just seek back to 0 and read from there was helpful for writing =
the script.

C

 

[James Edward Gray II]

On 11 Jan 2011, at 09:03, Robert Klemme wrote:
=20

I love the feature. It's one of those fun things to abuse.

I've written a script in the past that (ab)used that to use DATA as a =

small datastore=85

I've done that too.

rather than writing out to a separate data file. I had to write out =

the entire file though, including the source code=85

You don't have to rewrite the code, if you are careful:

#!/usr/bin/env ruby -wKU

pos =3D DATA.pos # memorize position after __END__

# do whatever
count =3D DATA.read.to_i
puts "Count: #{count}"
count +=3D 1

DATA.reopen(__FILE__, "a+") # turn on writing mode
DATA.truncate(pos) # remove the DATA section
DATA.puts count # update DATA

__END__
0

James Edward Gray II