How to disable system command execution

Question

How to disable system command execution

I have a script that can be called by untrusted users, we need to make a call along the lines of this example:

system 'somescript ' + data

We need to make sure that if data == 'filename; dosomethingelse', then; (or any other special character). The result is a shell command actually run somescript filename\;\ dosomethingelseorsomescript "filename; dosomethingelse"

Is there a standard way to do this?

+3

ruby exec

corydoras Jan 29 '10 at 1:53

source share

2 answers

The Shellwords module (part of the standard library) will perform appropriate escaping of shell commands:

#!/usr/bin/ruby1.8

require 'shellwords'

command = ['cat', 'filename with spaces', '"quoted_filename"'].shelljoin
puts command    # => cat filename\ with\ spaces \"quoted_filename\"
system(command)
# => this file has spaces in its name
# => this file has a quoted filename

shellwords shellescape String.

API. 1.9 Pickaxe , , 1.8.7. ( , /usr/lib/ruby/ 1.8/shelljoin.rb) .

+1

Wayne Conrad 29 . '10 2:44

Chris jester-young · Accepted Answer · 2010-01-29T02:03:50+0000

system 'somescript', data

Multi-user calls are systemnot transferred to the shell for processing.

How to disable system command execution

More articles: