ruby-changes:50690
From: shugo <ko1@a...>
Date: Tue, 20 Mar 2018 18:09:54 +0900 (JST)
Subject: [ruby-changes:50690] shugo:r62857 (trunk): io.c: Methods of File should not invoke external commands
shugo 2018-03-20 18:09:49 +0900 (Tue, 20 Mar 2018) New Revision: 62857 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=62857 Log: io.c: Methods of File should not invoke external commands For security reasons, File.read, File.binread, File.write, File.binwrite, File.foreach, and File.readlines should not invoke external commands even if the path starts with the pipe character |. [ruby-core:84495] [Feature #14245] Modified files: trunk/NEWS trunk/io.c trunk/test/ruby/test_io.rb Index: test/ruby/test_io.rb =================================================================== --- test/ruby/test_io.rb (revision 62856) +++ test/ruby/test_io.rb (revision 62857) @@ -2196,10 +2196,10 @@ class TestIO < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_io.rb#L2196 def test_read_command assert_equal("foo\n", IO.read("|echo foo")) - assert_warn(/invoke external command/) do + assert_raise(Errno::ENOENT, Errno::EINVAL) do File.read("|#{EnvUtil.rubybin} -e puts") end - assert_warn(/invoke external command/) do + assert_raise(Errno::ENOENT, Errno::EINVAL) do File.binread("|#{EnvUtil.rubybin} -e puts") end assert_raise(Errno::ENOENT, Errno::EINVAL) do Index: io.c =================================================================== --- io.c (revision 62856) +++ io.c (revision 62857) @@ -7113,12 +7113,7 @@ rb_io_open_generic(VALUE klass, VALUE fi https://github.com/ruby/ruby/blob/trunk/io.c#L7113 const convconfig_t *convconfig, mode_t perm) { VALUE cmd; - const int warn = klass == rb_cFile; - if ((warn || klass == rb_cIO) && !NIL_P(cmd = check_pipe_command(filename))) { - if (warn) { - rb_warn("IO.%"PRIsVALUE" called on File to invoke external command", - rb_id2str(rb_frame_this_func())); - } + if (klass == rb_cIO && !NIL_P(cmd = check_pipe_command(filename))) { return pipe_open_s(cmd, rb_io_oflags_modestr(oflags), fmode, convconfig); } else { Index: NEWS =================================================================== --- NEWS (revision 62856) +++ NEWS (revision 62857) @@ -138,6 +138,12 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L138 === Compatibility issues (excluding feature bug fixes) +* File + + * File.read, File.binread, File.write, File.binwrite, File.foreach, + and File.readlines do not invoke external commands even if the path + starts with the pipe character |. [Feature #14245] + === Stdlib compatibility issues (excluding feature bug fixes) === C API updates -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/