From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: ** X-Spam-ASN: AS6939 216.218.128.0/17 X-Spam-Status: No, score=2.1 required=3.0 tests=AWL,BAYES_00,RCVD_IN_MSPIKE_BL, RCVD_IN_MSPIKE_ZBI,RCVD_IN_XBL,RDNS_NONE,SPF_FAIL,SPF_HELO_FAIL shortcircuit=no autolearn=no autolearn_force=no version=3.4.0 Received: from 80x24.org (unknown [216.218.222.14]) by dcvr.yhbt.net (Postfix) with ESMTP id 324611F42E for ; Thu, 21 Dec 2017 11:55:21 +0000 (UTC) From: Eric Wong To: spew@80x24.org Subject: [PATCH 2/6] webrick/httpservlet/cgi_runner.rb: remove unnecessary open Date: Thu, 21 Dec 2017 11:55:03 +0000 Message-Id: <20171221115507.27500-3-e@80x24.org> In-Reply-To: <20171221115507.27500-1-e@80x24.org> References: <20171221115507.27500-1-e@80x24.org> List-Id: IO#reopen already takes string path names as well as IO objects (but not "| command" strings) This makes further auditing for inadvertant code execution easier. There's no actual bugfix or behavior change here, as no external data is passed to cgi_runner.rb. * lib/webrick/httpservlet/cgi_runner.rb: remove Kernel#open call --- lib/webrick/httpservlet/cgi_runner.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/webrick/httpservlet/cgi_runner.rb b/lib/webrick/httpservlet/cgi_runner.rb index 597f48936b..3ebbcebb26 100644 --- a/lib/webrick/httpservlet/cgi_runner.rb +++ b/lib/webrick/httpservlet/cgi_runner.rb @@ -23,11 +23,11 @@ def sysread(io, size) len = sysread(STDIN, 8).to_i out = sysread(STDIN, len) -STDOUT.reopen(open(out, "w")) +STDOUT.reopen(out, "w") len = sysread(STDIN, 8).to_i err = sysread(STDIN, len) -STDERR.reopen(open(err, "w")) +STDERR.reopen(err, "w") len = sysread(STDIN, 8).to_i dump = sysread(STDIN, len) -- EW