Why does Ruby 1.9.2 remove "." from LOAD_PATH, and what's the alternative?
It was deemed a "security" risk.
You can get around it by using absolute paths
File.expand_path(__FILE__) et al
or doing
require './filename' (ironically).
or by using
require_relative 'filename'
or adding an "include" directory
ruby -I . ...
or the same, using irb;
$irb -I .
There's two reasons:
- robustness and
- security
Both are based on the same underlying principle: in general, you simply cannot know what the current directory is, when your code is run. Which means that, when you require a file and depend on it being in the current directory, you have no way of controlling whether that file will even be there, or whether it is the file that you actually expect to be there.
As others answers point out, it's a security risk because .
in your load path refers to the present working directory Dir.pwd
, not the directory of the current file being loaded. So whoever is executing your script can change this simply by cd
ing to another directory. Not good!
I've been using full paths constructed from __FILE__
as an alternative.
require File.expand_path(File.join(File.dirname(__FILE__), 'filename'))
Unlike require_relative
, this is backward compatible with Ruby 1.8.7.