J
John Carter
I have just stumbled on a small security Gotcha in my code, that is
probably common to quite a lot of code...
ruby-1.8.2 -e 'p $:'
["/usr/lib/ruby/site_ruby/1.8", "/usr/lib/ruby/site_ruby/1.8/i686-linux",
"/usr/lib/ruby/site_ruby", "/usr/lib/ruby/1.8",
"/usr/lib/ruby/1.8/i686-linux", "."]
Now if you do, like I do,
$: << "/The/place/where/my/ruby/modules/live"
require 'MyModule'
Look what that does...
ruby-1.8.2 -e '$: << "/The/place/where/my/ruby/modules/live";p $:'
["/usr/lib/ruby/site_ruby/1.8", "/usr/lib/ruby/site_ruby/1.8/i686-linux",
"/usr/lib/ruby/site_ruby", "/usr/lib/ruby/1.8",
"/usr/lib/ruby/1.8/i686-linux", ".",
"/The/place/where/my/ruby/modules/live"]
Then "." is on the library path _before_ your user path.
So a Bad Hat (or just plain Murphy as in Murphy's Law) could put his own
nasty version of MyModule.rb on the current working directory and there
after your App does Strange Things.
Solution 1:
$:.unshift "/The/place/where/my/ruby/modules/live"
I don't like that as then if Murphy places anything with a module name
that is the same as a system module in "/The/place/where/my/ruby/modules/live"
then suddenly all system modules start behaving in mysterious ways.
Solution 2:
$:.reject!{|p| p[0] != ?/} # Only allow absolute paths
$: << "/The/place/where/my/ruby/modules/live"
require 'MyModule'
John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : (e-mail address removed)
New Zealand
Refactorers do it a little better every time.
probably common to quite a lot of code...
ruby-1.8.2 -e 'p $:'
["/usr/lib/ruby/site_ruby/1.8", "/usr/lib/ruby/site_ruby/1.8/i686-linux",
"/usr/lib/ruby/site_ruby", "/usr/lib/ruby/1.8",
"/usr/lib/ruby/1.8/i686-linux", "."]
Now if you do, like I do,
$: << "/The/place/where/my/ruby/modules/live"
require 'MyModule'
Look what that does...
ruby-1.8.2 -e '$: << "/The/place/where/my/ruby/modules/live";p $:'
["/usr/lib/ruby/site_ruby/1.8", "/usr/lib/ruby/site_ruby/1.8/i686-linux",
"/usr/lib/ruby/site_ruby", "/usr/lib/ruby/1.8",
"/usr/lib/ruby/1.8/i686-linux", ".",
"/The/place/where/my/ruby/modules/live"]
Then "." is on the library path _before_ your user path.
So a Bad Hat (or just plain Murphy as in Murphy's Law) could put his own
nasty version of MyModule.rb on the current working directory and there
after your App does Strange Things.
Solution 1:
$:.unshift "/The/place/where/my/ruby/modules/live"
I don't like that as then if Murphy places anything with a module name
that is the same as a system module in "/The/place/where/my/ruby/modules/live"
then suddenly all system modules start behaving in mysterious ways.
Solution 2:
$:.reject!{|p| p[0] != ?/} # Only allow absolute paths
$: << "/The/place/where/my/ruby/modules/live"
require 'MyModule'
John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : (e-mail address removed)
New Zealand
Refactorers do it a little better every time.