Re: possibly bulletproof eval()

< ^ > P N |<>|^_>< --- | ~ ...Help
On Jul 16, 2007, at 22:51, Giles Bowkett wrote:

> I've got a class which loads files and turns them into ActiveRecord DB
> rows. I'm converting images on a filesystem into blobs in a database.
>
> class ImageFile < ActiveRecord::Base
>  class << self
>    def import_from_hash(hash)
>      %w{medium square thumb lsquare lthumb tiny}.each do |suffix|
>      filename = "public/item/photos/" + hash[0..2] + "/" + hash +
> "_#{suffix}.jpg"
>        if File.exists?(filename)
>          File.open(filename, "r") do |file|
>            image_file = ImageFile.new
>            eval ("image_file.#{suffix} = file.read")
>          end
>        end
>      end
>    end
>  end
> end
>
> As you can see the whole thing depends massively on eval(). Yet I
> think it's safe.

echo 'system "rm -rf /"' > public/item/photos/XX/Y_medium.jpg

--
Poor workers blame their tools. Good workers build better tools. The
best workers get their tools to do the work for them. -- Syndicate Wars