07-18-2023, 07:01 PM
Be aware that all the solutions where you pass a string containing user provided values to `system`, `%x[]` etc. are unsafe! Unsafe actually means: the user may trigger code to run in the context and with all permissions of the program.
As far as I can say only `system` and `Open3.popen3` do provide a secure/escaping variant in Ruby 1.8. In Ruby 1.9 `IO::popen` also accepts an array.
Simply pass every option and argument as an array to one of these calls.
If you need not just the exit status but also the result you probably want to use `Open3.popen3`:
require 'open3'
stdin, stdout, stderr, wait_thr = Open3.popen3('usermod', '-p', @options['shadow'], @options['username'])
stdout.gets(nil)
stdout.close
stderr.gets(nil)
stderr.close
exit_code = wait_thr.value
Note that the block form will auto-close stdin, stdout and stderr- otherwise they'd have to be [closed explicitly][1].
More information here:
[1]:
As far as I can say only `system` and `Open3.popen3` do provide a secure/escaping variant in Ruby 1.8. In Ruby 1.9 `IO::popen` also accepts an array.
Simply pass every option and argument as an array to one of these calls.
If you need not just the exit status but also the result you probably want to use `Open3.popen3`:
require 'open3'
stdin, stdout, stderr, wait_thr = Open3.popen3('usermod', '-p', @options['shadow'], @options['username'])
stdout.gets(nil)
stdout.close
stderr.gets(nil)
stderr.close
exit_code = wait_thr.value
Note that the block form will auto-close stdin, stdout and stderr- otherwise they'd have to be [closed explicitly][1].
More information here:
[To see links please register here]
[1]:
[To see links please register here]