Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does Ruby 1.9.2 remove "." from LOAD_PATH, and what's the alternative?

Tags:

ruby

require

rake

load-path

It was deemed a "security" risk.

You can get around it by using absolute paths 

File.expand_path(__FILE__) et al

or doing

require './filename' (ironically).

or by using 

require_relative 'filename'

or adding an "include" directory

ruby -I . ...

or the same, using irb;

$irb -I .

There's two reasons:

  • robustness and
  • security

Both are based on the same underlying principle: in general, you simply cannot know what the current directory is, when your code is run. Which means that, when you require a file and depend on it being in the current directory, you have no way of controlling whether that file will even be there, or whether it is the file that you actually expect to be there.


As others answers point out, it's a security risk because . in your load path refers to the present working directory Dir.pwd, not the directory of the current file being loaded. So whoever is executing your script can change this simply by cding to another directory. Not good!

I've been using full paths constructed from __FILE__ as an alternative.

require File.expand_path(File.join(File.dirname(__FILE__), 'filename'))

Unlike require_relative, this is backward compatible with Ruby 1.8.7.


Use require_relative 'file_to_require'

Throw this in your code to make require_relative work in 1.8.7:

unless Kernel.respond_to?(:require_relative)
  module Kernel
    def require_relative(path)
      require File.join(File.dirname(caller.first), path.to_str)
    end
  end
end

'.' in your path has long been considered a bad thing in the Unix world (see, for example, http://www.faqs.org/faqs/unix-faq/faq/part2/section-13.html). I assume the Ruby folks have been persuaded of the wisdom of not doing that.


I found this to be a confounding change until I realized a couple of things.

You can set RUBYLIB in your .profile (Unix) and go on with life as you did before:

export RUBYLIB="."

But as mentioned above, it's long been considered unsafe to do so.

For the vast majority of cases you can avoid problems by simply calling your Ruby scripts with a prepended '.' e.g. ./scripts/server.

Related questions

How to change default timezone for Active Record in Rails?
Continuous Integration for Ruby on Rails? [closed]
You have already activated X, but your Gemfile requires Y
Ruby Array find_first object?
How to extract URL parameters from a URL with Ruby or Rails?
Get current stack trace in Ruby without raising an exception
A copy of xxx has been removed from the module tree but is still active
How to get UTC timestamp in Ruby?
Ruby class types and case statements
How to capitalize the first letter in a String in Ruby
Removing all empty elements from a hash / YAML?
Why doesn't ruby support method overloading?
Get file name and extension in Ruby
How can I avoid running ActiveRecord callbacks?
Ruby: How to convert a string to boolean
Ruby: require vs require_relative - best practice to workaround running in both Ruby <1.9.2 and >=1.9.2
Create a devise user from Ruby console
Rails: Open link in new tab (with 'link_to')
How to URL encode a string in Ruby
Rails hidden field undefined method 'merge' error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!