From e7464561b5151501beb356fc750d5dd1a88014f7 Mon Sep 17 00:00:00 2001 From: nobu Date: Wed, 20 Dec 2017 04:18:31 +0000 Subject: [PATCH] Fixed command Injection * resolv.rb (Resolv::Hosts#lazy_initialize): fixed potential command Injection in Hosts::new() by use of Kernel#open. [Fix GH-1777] [ruby-core:84347] [Bug #14205] From: Drigg3r git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61349 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- lib/resolv.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/resolv.rb b/lib/resolv.rb index 1044b95e68..56183b837d 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -188,7 +188,7 @@ class Resolv unless @initialized @name2addr = {} @addr2name = {} - open(@filename, 'rb') {|f| + File.open(@filename, 'rb') {|f| f.each {|line| line.sub!(/#.*/, '') addr, hostname, *aliases = line.split(/\s+/)