security question

aram_harrow · June 30, 2012, 8:13am

Hi all,

I have a perhaps-naive question about section 8.7 on command-line injection:

The code

system(``"/bin/echo"``,``"hello; rm *"``)

# prints "hello; rm *" and does not delete files

is given as an example of a way to sanitize inputs to the system command, but if the attacker can change the second argument here, then this is vulnerable to

system(``"/bin/echo"``,``"rm *`").```

So I think this is a bad example, although I’m not sure what to replace it with, and I am too inexperienced to feel confident changing the ruby guide myself.

-aram

Michael_Pearson · June 30, 2012, 10:01am

Nope. System, in multiple argument mode, does not evaluate the arguments with the shell. So ``, $foo, ~/ etc don’t get evaluated.

$ irb

system ‘/bin/echo’, ‘rm *’

rm *

=> true

fxn · June 30, 2012, 10:02am

When system/exec are given several arguments there is no shell expansion going on:

1.9.3-p194 :001 > system(“/bin/echo”, “ls”)

ls

=> true

Topic		Replies	Views
RE: [Rails] Execute shell command from Rails rubyonrails-talk	2	151	January 23, 2007
system command and echo strangeness rubyonrails-talk	1	160	March 8, 2016
Execute shell command from Rails rubyonrails-talk	0	138	January 23, 2007
Interactive Shell with the underlying system rubyonrails-talk	1	123	November 10, 2009
Simple Parameter Passing rubyonrails-talk	3	79	April 23, 2011

security question

Related topics

More Resources