I have just stumbled on a small security Gotcha in my code, that is probably common to quite a lot of code...
ruby-1.8.2 -e 'p $:'
["/usr/lib/ruby/site_ruby/1.8", "/usr/lib/ruby/site_ruby/1.8/i686-linux", "/usr/lib/ruby/site_ruby", "/usr/lib/ruby/1.8", "/usr/lib/ruby/1.8/i686-linux", "."]
Now if you do, like I do,
$: << "/The/place/where/my/ruby/modules/live"
require 'MyModule'
Look what that does...
ruby-1.8.2 -e '$: << "/The/place/where/my/ruby/modules/live";p $:'
["/usr/lib/ruby/site_ruby/1.8", "/usr/lib/ruby/site_ruby/1.8/i686-linux", "/usr/lib/ruby/site_ruby", "/usr/lib/ruby/1.8", "/usr/lib/ruby/1.8/i686-linux", ".", "/The/place/where/my/ruby/modules/live"]
Then "." is on the library path _before_ your user path.
So a Bad Hat (or just plain Murphy as in Murphy's Law) could put his own nasty version of MyModule.rb on the current working directory and there after your App does Strange Things.
Solution 1:
$:.unshift "/The/place/where/my/ruby/modules/live"
I don't like that as then if Murphy places anything with a module name that is the same as a system module in "/The/place/where/my/ruby/modules/live"
then suddenly all system modules start behaving in mysterious ways.
Solution 2:
$:.reject!{|p| p[0] != ?/} # Only allow absolute paths
$: << "/The/place/where/my/ruby/modules/live"
require 'MyModule'
John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : john.carter@tait.co.nz
New Zealand
Refactorers do it a little better every time.