[ANN] urirequire: I got yer Web 2.0 right here
Francis Hwang
there was a more elegant way to download and execute code from all over
the internets!" Well, urirequire is the lib for you. By hijacking
Kernel.require, urirequire makes it a snap to include code from
anywhere on the World Wide Whatever. Sure, eval'ing code that you don't
own might be dangerous; for all you know, that remote Ruby file could
be undefining Class or emailing your ex-girlfriends. But I say it's
time to get with the bleeding edge! Control of your own code is so
February 2005.
http://rubyforge.org/projects/urirequire/
== EXAMPLE 1: THE ABSURDLY RISKY 'HELLO WORLD' ==
require 'urirequire'
require 'http://fhwang.net/urirequire_test'
Run this, if you feel lucky. Do ya, punk?
== EXAMPLE 2: INSTALL HOBIX IN SEVEN LESS KEYSTROKES ==
ruby -rurirequire -e "require 'http://go.hobix.com/'"
This installs Hobix, that fantabulous blahhg engine by your friend and
mine, why the lucky stiff. Sure, it looks like there's a lot of code at
that URI, but if you can't trust _why, who can you trust? I mean, you
trust your mom, and she couldn't draw a cartoon fox if her life
depended on it.
== TAGLINES WHICH WILL PROBABLY MAKE NOBODY DOWNLOAD MY LIB BUT I THINK
ARE FUNNY ANYWAY ==
urirequire: The network Pwns the computer!
urirequire: Now I'll never get that job working for Bruce Schneier.
urirequire: It's not just a solution looking for a problem. It's a
solution looking for a victim.
James Edward Gray II
> urirequire: It's not just a solution looking for a problem. It's a
> solution looking for a victim.
That's so damn classy. Makes me want to download it right now!
James Edward Gray II
Gregory Brown
> urirequire: It's not just a solution looking for a problem. It's a
> solution looking for a victim.
Francis, you are my hero.
Wayne Vucenic
On 11/1/05, Francis Hwang <se...@fhwang.net> wrote:
> Fellow Rubyists! How many times have you thought to yourself: "If only
> there was a more elegant way to download and execute code from all over
> the internets!"
urirequire is really nice!!! Thanks!
Wayne
Jeff Wood
shouldn't that be like 4 lines???
def net_eval( url )
require 'open-uri'
eval open( url ).readlines.join
end
???!??!?!? ( or something similar to that ) ... and yeah, it takes real guts
to run code you don't own.
BTW, your test URL ... is 404.
j.
--
"http://ruby-lang.org -- do you ruby?"
Jeff Wood
Daniel Sheppard
require 'urirequire'
uri_require
'http://fhwang.net/urirequire_test','SHA1:413ABF4Dxxxxxxxxxxx'
go to the internet, grab that code, trust it only if it's the same as
when I said to get it.
Gems - fah! For suckers. Just send me that .rb file, chock full of
uri's, and be done with it.
> -----Original Message-----
> From: Francis Hwang [mailto:se...@fhwang.net]
> Sent: Wednesday, 2 November 2005 2:22 PM
> To: ruby-talk ML
> Subject: [ANN] urirequire: I got yer Web 2.0 right here
>
> Fellow Rubyists! How many times have you thought to yourself:
> "If only there was a more elegant way to download and execute
> code from all over the internets!" Well, urirequire is the
> lib for you. By hijacking Kernel.require, urirequire makes it
> a snap to include code from anywhere on the World Wide
> Whatever. Sure, eval'ing code that you don't own might be
> dangerous; for all you know, that remote Ruby file could be
> undefining Class or emailing your ex-girlfriends. But I say
> it's time to get with the bleeding edge! Control of your own
> code is so February 2005.
>
> http://rubyforge.org/projects/urirequire/
>
> == EXAMPLE 1: THE ABSURDLY RISKY 'HELLO WORLD' ==
>
> require 'urirequire'
> require 'http://fhwang.net/urirequire_test'
>
> Run this, if you feel lucky. Do ya, punk?
>
> == EXAMPLE 2: INSTALL HOBIX IN SEVEN LESS KEYSTROKES ==
>
> ruby -rurirequire -e "require 'http://go.hobix.com/'"
>
> This installs Hobix, that fantabulous blahhg engine by your
> friend and mine, why the lucky stiff. Sure, it looks like
> there's a lot of code at that URI, but if you can't trust
> _why, who can you trust? I mean, you trust your mom, and she
> couldn't draw a cartoon fox if her life depended on it.
>
> == TAGLINES WHICH WILL PROBABLY MAKE NOBODY DOWNLOAD MY LIB
> BUT I THINK ARE FUNNY ANYWAY ==
>
> urirequire: The network Pwns the computer!
>
> urirequire: Now I'll never get that job working for Bruce Schneier.
>
> urirequire: It's not just a solution looking for a problem.
> It's a solution looking for a victim.
>
>
>
>
#####################################################################################
This email has been scanned by MailMarshal, an email content filter.
#####################################################################################
Francis Hwang
> lib ???
>
> shouldn't that be like 4 lines???
>
> def net_eval( url )
> require 'open-uri'
> eval open( url ).readlines.join
> end
Yeah, something like that. Actually right now urirequire clocks in at
23 lines, because of certain edge cases, and the fact that it uses
Kernel.require, not a new method. Of course, the utility and elegance
of such an override is quite debatable.
At any rate, it's definitely quite small. Sometimes I package small
seeds of functionality into libs, because Rubygems makes managing tiny
libs easy, and because copy-and-paste makes the baby Jesus cry.
>
> ???!??!?!? ( or something similar to that ) ... and yeah, it takes real guts
> to run code you don't own.
>
> BTW, your test URL ... is 404.
Remember that when you require open-uri the file isn't actually
"open-uri" -- it usually ends with an ".rb". Apply this analogously to
a URI, and you'll get around that little 404 hurdle.
f.
Gavin Kistner
> == TAGLINES WHICH WILL PROBABLY MAKE NOBODY DOWNLOAD MY LIB BUT I
> THINK
> ARE FUNNY ANYWAY ==
>
> urirequire: The network Pwns the computer!
>
> urirequire: Now I'll never get that job working for Bruce Schneier.
>
> urirequire: It's not just a solution looking for a problem. It's a
> solution looking for a victim.
ROFL. You made me wake up my wife with my giggling. :D
No more laptop ruby-talk for me :)
Daniel Sheppard
require 'open-uri'
module UriRequire
Version = '0.1.1'
@@orig_require = Kernel.method :require
def self.orig_require; @@orig_require; end
end
def require( library_name )
if library_name =~ /^(http|https|ftp):\/\//
uri_require( library_name )
else
UriRequire.orig_require.call library_name
end
end
def uri_require( library_name, expected_digest )
begin
contents = open( library_name ) do |f| f.gets( nil );
end
rescue OpenURI::HTTPError
library_name += '.rb'
contents = open( library_name ) do |f| f.gets( nil );
end
end
require 'digest/sha1'
digest = Digest::SHA1.hexdigest('xx')
if expected_digest
raise "Wrong Hash - Expected '#{expected_digest}', recieved
'#{digest}'"
else
warn "Requiring a uri without a hash? Are you freakin'
crazy?"
warn "The hash is '#{digest}' for '#{library_name}'"
end
eval contents
end
Francis Hwang
release.
Daniel Sheppard
> raise "Wrong Hash - Expected '#{expected_digest}', recieved
'#{digest}'"
what sort of drugs am I on? Seemingly not the good ones.
if expected_digest
raise "Wrong Hash - Expected '#{expected_digest}', received
'#{digest}'" unless digest == expected_digest
I actually think this has the potential of being a damn useful library.
Once you put in the hashing, I don't see why this is any more dangerous
than a gem. The only problem is that you'd need to modify your code to
upgrade to a newer version of a library, but there's not too much wrong
with that. If you're hashing the code, it's not allowed to be modified,
so you can keep a local cache of files and only download once.
Or, if you're just doing it with somewhere you can trust, you can just
use it within your own scripts and let them download the latest version
from a constantly-changing source.
James Britt
> lib ???
>
> shouldn't that be like 4 lines???
>
> def net_eval( url )
> require 'open-uri'
> eval open( url ).readlines.join
> end
>
Here's a quick variation:
require 'open-uri'
def require( resource )
begin
super
rescue LoadError
$:.each do |lp|
if lp =~ /http:\/\//i
begin
s = open( "#{lp}/#{resource}" ) { |f| f.read}
eval s
return
rescue; end
end
end
raise LoadError.new( "Cannot find '#{resource}'")
end
end
# Now you can add select Web sites to the load path
$:.unshift 'http://trust.me/no/really/this/is/safe'
Mix in MouseHole for more fun.
James
--
http://www.ruby-doc.org - The Ruby Documentation Site
http://www.rubyxml.com - News, Articles, and Listings for Ruby & XML
http://www.rubystuff.com - The Ruby Store for Ruby Stuff
http://www.jamesbritt.com - Playing with Better Toys
Kev Jackson
>> if expected_digest
>> raise "Wrong Hash - Expected '#{expected_digest}', recieved
>>
>>
>'#{digest}'"
>
>what sort of drugs am I on? Seemingly not the good ones.
>
>if expected_digest
> raise "Wrong Hash - Expected '#{expected_digest}', received
>'#{digest}'" unless digest == expected_digest
>
>
>I actually think this has the potential of being a damn useful library.
>Once you put in the hashing, I don't see why this is any more dangerous
>than a gem. The only problem is that you'd need to modify your code to
>upgrade to a newer version of a library, but there's not too much wrong
>with that. If you're hashing the code, it's not allowed to be modified,
>so you can keep a local cache of files and only download once.
>
>Or, if you're just doing it with somewhere you can trust, you can just
>use it within your own scripts and let them download the latest version
>from a constantly-changing source.
>
>
If you could adapt it so that it'll accept svn:// (or https I suppose),
then you could even use it to keep libraries updated from a svn repo -
which would be rather nice
Jeff Wood
be l33t ... just like urirequire ;)
j.
Gregory Brown
> actually, we need to write a ruby-based version control system. that would
> be l33t ... just like urirequire ;)
Hmm... I like that idea a lot. What would you put into a ruby based
RCS that isn't already in SVN?
One neat thing I could see would be integration of a ruby based RCS
with rake, so you can just do rake update or something of the like.
Also... plugging in little ruby scripts to munge the repository in
various ways would be awesome :)
Kroeger, Simon (ext)
> From: Jeff Wood [mailto:jeff.da...@gmail.com]
>
> lib ???
>
> shouldn't that be like 4 lines???
> [...]
>
> BTW, your test URL ... is 404.
>
> j.
You found the/one answer to your own question, look at:
http://fhwang.net/urirequire_test.rb
cheers
Simon
Edgardo Hames
I would say, we need some sort of "ioslaves" like KDE's. Then,
accessing a different location/protocol would be transparent for
applications.
My AR$ 0.02
Ed
--
Encontrá a "Tu psicópata favorito" http://tuxmaniac.blogspot.com
Thou shalt study thy libraries and strive not to reinvent them without cause,
that thy code may be short and readable and thy days pleasant and productive.
-- Seventh commandment for C programmers
Adam Sanderson
exactly what the file should look like, you've probably downloaded it
already... and now it's local.
Regardless, ruby is fun.
.adam sanderson
Christian Neukirchen
>> if expected_digest
>> raise "Wrong Hash - Expected '#{expected_digest}', recieved
> '#{digest}'"
>
> what sort of drugs am I on? Seemingly not the good ones.
Been wondering about that too...
> require 'digest/sha1'
> digest = Digest::SHA1.hexdigest('xx')
Always the same hash... ;-P
--
Christian Neukirchen <chneuk...@gmail.com> http://chneukirchen.org
James Britt
> "Daniel Sheppard" <dan...@pronto.com.au> writes:
>
> ...
>>
>>what sort of drugs am I on? Seemingly not the good ones.
>
>
> Been wondering about that too...
>
>
> Always the same hash... ;-P
That's the problem. Need better hash.
Edward Faulkner
> Doesn't putting the hash in kind of defeat the purpose? If you know
> exactly what the file should look like, you've probably downloaded it
> already... and now it's local.
Yes. But you could salvage the situation with PKI. So you'd specify
a public key to trust, perhaps by fingerprint:
require 'http://foo', 'A5EA B010 448C D0B9 FD2A 287C 9E15 33D7 5A7D 3120'
And require would fail unless the code is properly signed.
-Ed
Adam Sanderson
expand. Well... maybe not easy, but it's doable.
Create a new URI Scheme class (example uri/ftp.rb) and add it to the
URI schemes defined in the URI module (defined in uri/common.rb).
Ensure that the URI defines direct_open(...) (see open-uri.rb) and
include open-uri's OpenRead module.
It would be conceivable to implement open-uri suppot for SSH for
example with the net-ssh library.
Anyways it's a thought, and that's all the spots to look in.
.adam sanderson
Rob Rypka
> > if expected_digest
> > raise "Wrong Hash - Expected '#{expected_digest}', recieved
> '#{digest}'"
>
> what sort of drugs am I on? Seemingly not the good ones.
I'm just guessing, but you were probably smoking hash, albeit the wrong hash.
--
Rob
dave...@gmail.com
> shouldn't that be like 4 lines???
>
> def net_eval( url )
> require 'open-uri'
> eval open( url ).readlines.join
> end
A haiku's only 3:
def ur(url) require \
'open-uri'; eval (
open(url).read) end
* "url" is pronounced like "earl"
* proc = people's republic of china = autumn
Cheers,
Dave
Steven Arnold
On Nov 1, 2005, at 11:35 PM, Daniel Sheppard wrote:
> Could security be as easy as:
>
> require 'urirequire'
> uri_require
> 'http://fhwang.net/urirequire_test','SHA1:413ABF4Dxxxxxxxxxxx'
>
> go to the internet, grab that code, trust it only if it's the same as
> when I said to get it.
Probably would be better if I could merely check that it was signed
by someone I trust. Heeey.....this is sounding suspiciously like
Active-X.
steve
James Britt
It's HyperActiveX.
Now, where's Mr. Bunny?