1. system()
2. backticks `` or %x shortcut
3. Kernel.exec()
The problem comes when you are aware of information security abuses, such as shell injection which might exploit unsanitized input. Let me portray this with an example:
1.9.3-p392 :001 > system ("ls") file1 file2 file3 => true
Let's try shell injection:
1.9.3-p392 :002 > system ("ls; rm *") file1 file2 file3 => true 1.9.3-p392 :003 > system ("ls") => true
Ouch! Imagine what would have happened with user input. This is dangerous indeed and wise Rubyists often don't recommend you using system() commands for user input facing situations. If you still can't live without it, Ruby has a library called Shellwords, and you can use it as follows:
1.9.3-p392 :004 > require 'shellwords' => true 1.9.3-p392 :005 > a1 = %w{ls -l} => ["ls", "-l"] 1.9.3-p392 :006 > system(a1.shelljoin) total 0 -rw-r--r-- 1 jamesattard wheel 0 15 Apr 14:47 file1 -rw-r--r-- 1 jamesattard wheel 0 15 Apr 14:47 file2 -rw-r--r-- 1 jamesattard wheel 0 15 Apr 14:47 file3 => true
Now let's try to drop a bomb:
1.9.3-p392 :007 > a2 = %w{ls -l; rm *} => ["ls", "-l;", "rm", "*"] 1.9.3-p392 :008 > system(a2.shelljoin) ls: illegal option -- ; usage: ls [-ABCFGHLOPRSTUWabcdefghiklmnopqrstuwx1] [file ...] => false 1.9.3-p392 :009 > system("ls") file1 file2 file3 => true
As you can see, Shellwords sanitized the string to make it safe for use in a shell.
No comments:
Post a Comment