YUKI Hiroshi
null+****@clear*****
Wed Mar 25 11:45:11 JST 2015
YUKI Hiroshi 2015-03-25 11:45:11 +0900 (Wed, 25 Mar 2015) New Revision: c6c22bc28245ac84e58286ba2d1a85ff3d12d21f https://github.com/droonga/droonga-engine/commit/c6c22bc28245ac84e58286ba2d1a85ff3d12d21f Message: Forbid to run dangerous commands in Serf's event handler scripts Modified files: lib/droonga/serf/command.rb Modified: lib/droonga/serf/command.rb (+21 -0) =================================================================== --- lib/droonga/serf/command.rb 2015-03-25 11:20:29 +0900 (88682d0) +++ lib/droonga/serf/command.rb 2015-03-25 11:45:11 +0900 (bbd738e) @@ -35,11 +35,24 @@ module Droonga end end + class ForbiddenCommandInEventHandler < Error + def initialize(command) + message = "#{command} is forbidden in an event handler script." + super(message) + end + end + + DANGEROUS_COMMANDS_IN_EVENT_HANDLER = [ + "event", + "query", + ] + include Loggable attr_accessor :verbose def initialize(serf, command, *options) + assert_safe_command(command) @serf = serf @command = command @options = options @@ -65,6 +78,14 @@ module Droonga stdout end + private + def assert_safe_command(command) + if ENV.key?("SERF_EVENT") and + DANGEROUS_COMMANDS_IN_EVENT_HANDLER.include?(command) + raise ForbiddenCommandInEventHandler.new(command) + end + end + def log_tag "serf[#{@command}]" end -------------- next part -------------- HTML����������������������������... 下载