1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
= Command Injection
Some Ruby core methods accept string data
that includes text to be executed as a system command.
They should not be called with unknown or unsanitized commands.
These methods include:
- Kernel.exec
- Kernel.spawn
- Kernel.system
- {\`command` (backtick method)}[rdoc-ref:Kernel#`]
(also called by the expression <tt>%x[command]</tt>).
- IO.popen (when called with other than <tt>"-"</tt>).
Some methods execute a system command only if the given path name starts
with a <tt>|</tt>:
- Kernel.open(command).
- IO.read(command).
- IO.write(command).
- IO.binread(command).
- IO.binwrite(command).
- IO.readlines(command).
- IO.foreach(command).
- URI.open(command).
Note that some of these methods do not execute commands when called
from subclass +File+:
- File.read(path).
- File.write(path).
- File.binread(path).
- File.binwrite(path).
- File.readlines(path).
- File.foreach(path).
|
