mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
e9a2b30744
Clarifies security vulnerabilities for commands.
Treats:
Kernel.system
Kernel.` (backtick)
IO.popen
IO.read
IO.write
IO.binread
IO.binwrite
IO.readlines
IO.foreach
29 lines
710 B
Text
29 lines
710 B
Text
== Command Injection
|
|
|
|
Some Ruby core methods accept string data
|
|
that includes text to be executed as a system command.
|
|
|
|
They should not be called with unknown or unsanitized commands.
|
|
|
|
These methods include:
|
|
|
|
- Kernel.system
|
|
- {`command` (backtick method)}[rdoc-ref:Kernel#`]
|
|
(also called by the expression <tt>%x[command]</tt>).
|
|
- IO.popen(command).
|
|
- IO.read(command).
|
|
- IO.write(command).
|
|
- IO.binread(command).
|
|
- IO.binwrite(command).
|
|
- IO.readlines(command).
|
|
- IO.foreach(command).
|
|
|
|
Note that some of these methods do not execute commands when called
|
|
from subclass \File:
|
|
|
|
- File.read(path).
|
|
- File.write(path).
|
|
- File.binread(path).
|
|
- File.binwrite(path).
|
|
- File.readlines(path).
|
|
- File.foreach(path).
|