Issue #4487 has been updated by naruse (Yui NARUSE).


shyouhei (Shyouhei Urabe) wrote:
> naruse (Yui NARUSE) wrote:
> > require_relative is introduced to avoid accidentally require a malicious file on the current working directory.
> > So it can't be acceptable.
> > Use require or load on such case.
> 
> I'm not pretty sure about this.  Is there a chance for a (proposed behaviour of) require_relative to require a malicious file on the current directory?
> 
> Because you are on an IRB session and intentionally emitting require_relative (not require), I doubt the danger you say.

* irb is not the only user of eval.
* A user won't always use require_relative intentionally.
* There is a suitable another way: require './myfile'

With those reason, I don't think require_relative should be changed.
----------------------------------------
Bug #4487: require_relative fails in an eval'ed file
https://bugs.ruby-lang.org/issues/4487#change-27860

Author: rogerdpack (Roger Pack)
Status: Assigned
Priority: Normal
Assignee: matz (Yukihiro Matsumoto)
Category: 
Target version: 
ruby -v: -


=begin
Hello all.
 
 $cat eval_me1.rb
 eval(File.read('eval_me2.rb'), binding, File.expand_path('./eval_me2.rb'))
 $cat eval_me2.rb
 require_relative 'eval_me1.rb'
 $ ruby eval_me1.rb
 C:/dev/ruby/faster_require/spec/eval_me2.rb:1:in `require_relative': cannot infer basepath (LoadError)
        from C:/dev/ruby/faster_require/spec/eval_me2.rb:1:in `<main>'
        from eval_me1.rb:1:in `eval'
        from eval_me1.rb:1:in `<main>'

I suppose was assuming that if eval included a filename, then require_relative would work from within it. Perhaps I am mistaken?
Thanks!
-r
=end



-- 
http://bugs.ruby-lang.org/