[BUG] system() isn't safe on win32

Florian_Gross · 29 October 2003 19:39

Moin!

This ruby one-liner

ruby -ve “$SAFE = 5; system ‘echo Was able to run an arbitrary command
in safe mode.’”

produces this scary result:

ruby 1.8.0 (2003-08-04) [i386-mswin32]
Was able to run an arbitrary command in safe mode.

IMHO this effectively disables all the security which $SAFE ought to
give you and should be fixed in the ruby interpreter.

However it can also be fixed without patching ruby with a few simple
lines of ruby code so you can patch existing applications as soon as
possible:

kernel_meta = class << Kernel; self; end
[kernel_meta, Object].each { |c| c.module_eval {
old_system = instance_method(:system)
define_method(:system) { |*args|
raise(SecurityError, “I’m afraid I can’t do that, Dave”)
if $SAFE > 1
old_system.bind(self).call(*args)
}
}

Regards,
Florian Gross

Yukihiro_Matsumoto2 · 30 October 2003 00:28

Hi,

This ruby one-liner

ruby -ve “$SAFE = 5; system ‘echo Was able to run an arbitrary command
in safe mode.’”

produces this scary result:

ruby 1.8.0 (2003-08-04) [i386-mswin32]
Was able to run an arbitrary command in safe mode.

IMHO this effectively disables all the security which $SAFE ought to
give you and should be fixed in the ruby interpreter.

It shouldn’t happen. Does anyone confirm this?

How did you invoke ruby? From cmd.exe or Cygwin bash?
The only reasonable explanation I can think of now is:

using bash (or any other UNIXish shell)
have environment variables named SAFE,
which value looks like valid identifier

In this case,

ruby -ve ‘$SAFE = 5; system “echo Was able to run an arbitrary command in safe mode.”’

(note exchanged ’ and ") should work. But there might be other reasons.

						matz.

···

In message “[BUG] system() isn’t safe on win32” on 03/10/30, Florian Gross flgr@ccan.de writes:

U.Nakamura1 · 30 October 2003 00:43

Hello,

In message “Re: [BUG] system() isn’t safe on win32”

···

on Oct.30,2003 09:28:09, matz@ruby-lang.org wrote:

This ruby one-liner

ruby -ve “$SAFE = 5; system ‘echo Was able to run an arbitrary command
in safe mode.’”

produces this scary result:

ruby 1.8.0 (2003-08-04) [i386-mswin32]
Was able to run an arbitrary command in safe mode.

IMHO this effectively disables all the security which $SAFE ought to
give you and should be fixed in the ruby interpreter.

It shouldn’t happen. Does anyone confirm this?

It’s bug of mswin32 (and mingw32, bccwin32). Sorry.
I’ve fixed it on CVS.

Regards,

U.Nakamura usa@osb.att.ne.jp

Christoph · 30 October 2003 00:49

Yukihiro Matsumoto wrote:
…

It shouldn’t happen. Does anyone confirm this?

Cygwin seems to be save but mswin32 and mingw32
are both unsafe on the unix’y shells and the native
command the shell.

···

/Christoph

Please send off list mail to
‘my_mail@gmy.net’.gsub(/y/,‘x’)

David_Garamond2 · 30 October 2003 07:20

Yukihiro Matsumoto wrote:

ruby -ve “$SAFE = 5; system ‘echo Was able to run an arbitrary command
in safe mode.’”

produces this scary result:

ruby 1.8.0 (2003-08-04) [i386-mswin32]
Was able to run an arbitrary command in safe mode.

It shouldn’t happen. Does anyone confirm this?

Yes, same output here. Ruby 1.8.0 (mswin32), CMD.EXE, Win2k+SP2. Also
same output regardless of $SAFE is 3, 4, 5. $SAFE >= 3 correctly forbids
system() on my Linux box.

Haven’t tried the cygwin version though.

···

–
dave

Topic		Replies	Views
$safe = ruby-talk	0	106	10 March 2015
System() ruby-talk	4	73	29 December 2003
Not just $SAFE, but damn $SAFE ruby-talk	0	93	3 September 2004
Not just $SAFE, but damn $SAFE ruby-talk	1	114	3 September 2004
Not just $SAFE, but damn $SAFE ruby-talk	19	100	4 September 2004

[BUG] system() isn't safe on win32

Regards,

Related topics