You are a web developer. Let's assume you are building a website using Ruby(and probably Rails or any other Ruby 枠組み). This is why you need to 実証する some input params - to make sure that they don't 含む/封じ込める any crap you don't want to be there. Come on, you are going to google it, 権利?:
- Hmmm I need a regexp for emails. Googling: "regexp for email". Oh, nice one, I will use it.
- Oh, I also 捜し出す a regexp for URLs. 平易な: "regexp for url". So good, I love google and ruby!
- This field must 含む/封じ込める 3 資本/首都 letters - it's IATA code for an airport. I can do it by myself, I know 正規の/正選手 表現s, I read some 調書をとる/予約するs! /^[A-Z]{3}$/ looks 広大な/多数の/重要な!
Now you have ready regexps and you put them into your model, into 監査役, anywhere - it doesn't 事柄:
実証するs :email, presence: true, 判型: EMAIL regexp from google
実証するs :url, 判型: URL regexp from google
実証するs :departure_airport, presence: true, 判型: /^[A-Z]{3}$/
^ for start-of-string and $ for end-of-string ARE just new lines - \n!
This is a ありふれた pattern to 偉業/利用する them:
any data
proper data - valid for regexp
any other data
Thus, all your regexps that use ^$ are CRAP and 価値(がある) nothing! Throw them away, they don't make sure that input is 安全な and 安全な・保証する.
XSS for your URL:
javascript:警報(1);exploit_code();/*
http://hi.com
*/
注入する for IATA code(it uses SOAP so some XML 注入する has very powerful 衝撃):
<some xml><for 保留(地)/予約 system to steal money>Ruby doesn't give a sh*t about it at all. "Meh, use \A \z, we are in multiline 方式 by default".
SXF
</ending tags></going to miami beach>
The vulnerability is known and 述べるd in just a few paragraphs at rails 安全 guide. Example is awful - why to 追加する <script> to とじ込み/提出する 指名する? Rails will escape it in html_safe easily. Much better to 論証する XSS in URL, 爆撃する 注入する or XML 注入する because they all are pretty dangerous.
Hey dude, didn't you read 300pages-手動式の? Page 253: "ブレーキ is 位置を示すd on the roof of the car". pwned.
Regexp are just like cars - they should work as same and 類似の as it's possible. Breaking 基準 行為 by 目的 and telling people "It's not a bug, it's a feature" looks so disgusting to me. It's not a feature, it's a vulnerability.
Showcases time.
Github.com(with a picture :3, 直す/買収する,八百長をするd)
scribd.com(the same, 直す/買収する,八百長をするd)
http://www.workingwithrails.com/person/19433-egor-homakov
http://soundcloud.com/egor-homakov (songkick link)
tumblr.com - awesome 切り開く/タクシー/不正アクセス(tricky parser there) and 平易な-to-use, just put smth like this:
javascript:%0A
=(Code_to_Reblog();code_to_open_the_link();)//
http://hi.com
That's it! Of course I can find much more - but for what? I am 90% sure that your ruby 事業/計画(する) uses $^ in URL regexp too. I am so much sure because I would do the same, and this is really 承認する. Old 見解/翻訳/版s of 工夫する and authlogic and a lot of other gems are built with 攻撃を受けやすい regexps.
This is how to check: You have <input> field. Just turn it into <textarea> using WebInspector - now you can use new lines w/o all the mess with \n and %0A.
I thought everybody knew to use \A \z in Ruby since forever. ^ and $ and pretty much always the wrong thing to use, and not just 予定 to 安全.
Reply削除する@taw
Reply削除するI hope it to be true. But it's not. MOST of rubyists don't know about this and there is no way to teach everybody. Stop fighting 塀で囲むs, you cannot rewrite 基準s!
"I thought everybody knew" is really my favorite 宣告,判決 in 安全. I heard it a lot and had some fun then.
Isn't Tumblr PHP?
Reply削除する@fuzz
Reply削除するof course no, it wouldn't work in that 事例/患者
хомаков я тебе чето не верю насчет тумблера
Reply削除するhttp://highscalability.com/blog/2012/2/13/tumblr-architecture-15-billion-page-見解(をとる)s-a-month-and-harder.html
Good 研究, Egor!
Reply削除するI'm not Ruby programmer, but from time to time I read pieces of Ruby code. And I really even could not imagine before read your 地位,任命する that these ^$ has so perversive sense in regexp in Ruby.
@anon1
Reply削除するпросто проверь. все работает если немного поиследовать, разумеется я не буду выкладывать рабочий инжект.
@anon2
正確に/まさに. Most of us didn't know. That's what the 地位,任命する is about.
This 現実に doesn't have anything to do with Ruby 明確な/細部, but it is how 正規の/正選手 表現 work in general. So 本人自身で I've always 推定する/予想するd ^ and $ to mean start of line and end of line and never start and end of text.
Reply削除するThis is the 事例/患者 in every programming language I've worked in that has 正規の/正選手 表現s, such as Ruby, Perl, Java, C# and others. Multiline matching is also optional on all these 壇・綱領・公約s.
http://en.wikipedia.org/wiki/Regular_expression
All of the languages you について言及する (except Ruby) 扱う/治療する ^ and $ as beginning/end of string until you *explicitly* enable MULTILINE (/m). Where did you get the idea that they don't?
削除するNce except the suggestion to change the Ruby regexp 行為. It's naive to think regexps are used only for valiadations. And since there is always \A \Z 解答, it's 簡単に 使用者/dev error.
Reply削除する@dbussink
Reply削除するyes, I know, this is how regexp work. It's all just "詳細(に述べる)s". The problem is multiline 方式 by default, that was I meaning.
And I am 本人自身で 承認する with that. I use \A\z. But all silly 調書をとる/予約するs/casts I know about regex use ^$ - that's the point. It's impossible to change minds 速く. Very difficult.
Thanks for your 返答.
@anon
承認する I don't mind changing ruby/minds. I mind 直す/買収する,八百長をするing the problem. And I don't know 100% which of the ways will work. But I know my 地位,任命する will help people who never knew about this - I hope it was helpful to them :)
"実験(する)\nhttp://asdfasdf".search(/^http:/) // -1
Reply削除する<?php
$s = "実験(する)\nhttp://asdfasdf";
var_dump(preg_match('/^http:/', $s)); // 0
Lol, next one ruby problem
@anon yep, I would not care at all in the 事例/患者 if some other language would do the same. But in this 事例/患者 ruby is "unique" in the bad meaning of that word.
Reply削除するThanks for attracting on the problem.
Reply削除するI thing, that Ruby is a good language, but many people 令状ing Rails tutorials on the web dont know some its differences. This problem was discussed in 2009 on http://caiustheory.com/実証するing-data-with-正規の/正選手-表現s-in-ruby
@Marek. yes, 冷静な/正味の. still wonder why those guys in showcases don't care this thing. If it was discussed 100 times why I still find it working. That's what makes me cry over here :D
Reply削除するThanks for bringing this to my attention. Yet another 弾丸 point to my 名簿(に載せる)/表(にあげる) of 推論する/理由s to stay away from Ruby.
Reply削除するGood Lord! Keep the ignorance and misdirection coming folks.
Reply削除するKeep 非難するing other people/ソフトウェア because you didn't bother to learn 基準 RegEx syntax that has been around for at least a couple 10年間s.
Please don't 許す any 批判的な thinking into your 長,率いる or you might realize that the distinction between \A and ^ is both necessary and useful.
Thanks for bringing this to my attention homakov, however, I will not be clamoring for a change to Ruby, rather I will be on the 警戒/見張り for this in my code and 直す/買収する,八百長をするing it. What you overlook is that Ruby is not only used for rails, and 正規の/正選手 表現s are not only used for web input validation, and 正規の/正選手 表現s have been around since before the web. Sure we could change the way ^ and $ 行為/法令/行動する in Ruby, thus making Ruby's 正規の/正選手 表現s 行為/法令/行動する 異なって from every other language's, and breaking lots of 存在するing 非,不,無-web-app code. No. The answer is that the habit of using $ and ^ to mean beginning and end is a habit 相続するd from 令状ing 命令(する)-line scripts where programmers were able to assume line-by-line input. The 解答 is to do what yo u have already done here and bring this to people's attention so they can stop making this mistake. Changing minds might be harder than changing Ruby, but it's the 権利 thing to do.
Reply削除するによれば http://www.正規の/正選手-表現s.info/javascript.html, \A and \Z is not even supported in the javascript 正規の/正選手 表現 flavour. They would be used to $ and ^. For a web developer proficient in javascript trying to 選ぶ up Ruby, this is a problem just waiting to pop up.
Rep ly削除する@匿名の/不明の - but in JavaScript there isn't such an 問題/発行する:
Reply削除する"javascript:pwn();\nhttp://hi.com".match(/^http:/) # => null
Coming 支援する to Ruby:
要求する "uri"
irb> "javascript:pwn();\nhttp://hi.com" =~ URI.regexp
=> 0
Oh noes!!!
(URI.regexp seems a pretty コンビナート/複合体 regexp)
@anon1 that is silly 推論する/理由
Reply削除する@anon2 you don't teach me 基準s ok? I know it pretty 井戸/弁護士席. I'm just telling obvious stuff that new comers used to use ^$, all the 調書をとる/予約するs use it etc. 基準 < what people used too. Sad but true
@charles 絶対 権利. I don't really even hope to change ruby but with this 地位,任命する i make people *a little bit* more aware about this vulnerability
@anon3 nice catch!
@Jarmo yes as in others languages, no multiline by default
To 反映する...
Reply削除する^ and $ = http://regexr.com?312k1
\S and \z = http://regexr.com?312k4
\A and \s = http://regexr.com?312kd
^ and $ with /m = http://regexr.com?312ka
That's a Ruby problem or just how the regex 作品?
@Guilheme
Reply削除するin fact it is how RegExp work. Just ruby has multiline 方式 by default, it turns ^$ into useless new lines. That's what this 地位,任命する is about.
Egor, $ is not 正確に/まさに the same as \z in 非,不,無-Ruby world, because $ matches newline too.
Reply削除するThe "start of line" metacharacter (^) matches only at the start of the string, while the "end of line" metacharacter ($) matches only at the end of the string, OR BEFORE a 終結させるing newline. This is 権利 for Perl, PHP, Python etc. But \z is end of 支配する.
So maybe it should be better to teach the 残り/休憩(する) of the programmers to use \z instead of $.
@david yes you are telling what I know perfectly. It's just slight 詳細(に述べる)s. 承認する. Just ruby is only guy who uses multiline by default.
Reply削除するteach the 残り/休憩(する) of the programmers?! if you are 勇敢に立ち向かう to teach 999 999 newbies(they just read PHP for 24 hours) - DO IT :)
Shit happens I suppose, but 率直に I would had 推定する/予想するd github to use something more fancy such as URI.parse.
Reply削除する@Daniel probably URI is nice but it has ugly api and I just don't like it. It's ok to use regexp )
Reply< span class="item-control blog-admin blog-admin pid-867329276">削除するThanks for the (警察などへの)密告,告訴(状) Egor
Reply削除するAs it has been said, Ruby is used not only for Rails and pretty 明白に that'd break backwards compatibility in やめる a hard way. This won't be in 2.0 and probably not any soon either.
Reply削除するBut you could easily 直す/買収する,八百長をする Rails by checking for these broken regexen in the validator.
we 直す/買収する,八百長をするd it for validations - we check for $^ and 通知する developers.
削除するFunny comment above, considering all other comments:
Reply削除する"I thought everybody knew to use \A \z in Ruby since forever."
And then everyone is 説, that no, people don't use them, the tutorials don't use them etc.
Just got an exception in my Rails 4 beta 使用/適用 about some 安全 危険... I am really, really surprised with these multiline regexps in Ruby. For me it's a terrible design bug, few would EVER think multiline regexps are enabled by default.
Reply削除するyes, and it will never be 直す/買収する,八百長をするd
削除するI'm 現実に upset about this. It's the blind 主要な the blind out there when it comes to regexes - EVERY tutorial 明言する/公表するs that $ will ONLY match the end of a string. *facepalm*
Reply削除する