diff options
| author | Jean Boussier <jean.boussier@gmail.com> | 2025-12-26 09:14:57 +0100 |
|---|---|---|
| committer | Jean Boussier <jean.boussier@gmail.com> | 2025-12-26 13:05:29 +0100 |
| commit | b304c149aa2fe845872ccdf6ea88e7fe155c61f3 (patch) | |
| tree | f2db672e83b3a361f96456362469af275ecdbc9d | |
| parent | c3424615821192488f644d41eff21fa349a1eb2f (diff) | |
[DOC] Remove outdated documentation about command injection
[Feature #19630]
This dangerous behavior was removed in 4.0 (996cae65f3cc8fed60c6bb758b00882cac49389d)
but the documentation wasn't updated.
| -rw-r--r-- | doc/security/command_injection.rdoc | 22 | ||||
| -rw-r--r-- | io.c | 27 |
2 files changed, 0 insertions, 49 deletions
diff --git a/doc/security/command_injection.rdoc b/doc/security/command_injection.rdoc index ee33d4a04e..d46e42f7be 100644 --- a/doc/security/command_injection.rdoc +++ b/doc/security/command_injection.rdoc @@ -13,25 +13,3 @@ These methods include: - {\`command` (backtick method)}[rdoc-ref:Kernel#`] (also called by the expression <tt>%x[command]</tt>). - IO.popen (when called with other than <tt>"-"</tt>). - -Some methods execute a system command only if the given path name starts -with a <tt>|</tt>: - -- Kernel.open(command). -- IO.read(command). -- IO.write(command). -- IO.binread(command). -- IO.binwrite(command). -- IO.readlines(command). -- IO.foreach(command). -- URI.open(command). - -Note that some of these methods do not execute commands when called -from subclass +File+: - -- File.read(path). -- File.write(path). -- File.binread(path). -- File.binwrite(path). -- File.readlines(path). -- File.foreach(path). @@ -8256,9 +8256,6 @@ rb_io_s_sysopen(int argc, VALUE *argv, VALUE _) * * Creates an IO object connected to the given file. * - * This method has potential security vulnerabilities if called with untrusted input; - * see {Command Injection}[rdoc-ref:security/command_injection.rdoc]. - * * With no block given, file stream is returned: * * open('t.txt') # => #<File:t.txt> @@ -12054,10 +12051,6 @@ io_s_foreach(VALUE v) * * Calls the block with each successive line read from the stream. * - * When called from class \IO (but not subclasses of \IO), - * this method has potential security vulnerabilities if called with untrusted input; - * see {Command Injection}[rdoc-ref:security/command_injection.rdoc]. - * * The first argument must be a string that is the path to a file. * * With only argument +path+ given, parses lines from the file at the given +path+, @@ -12157,10 +12150,6 @@ io_s_readlines(VALUE v) * * Returns an array of all lines read from the stream. * - * When called from class \IO (but not subclasses of \IO), - * this method has potential security vulnerabilities if called with untrusted input; - * see {Command Injection}[rdoc-ref:security/command_injection.rdoc]. - * * The first argument must be a string that is the path to a file. * * With only argument +path+ given, parses lines from the file at the given +path+, @@ -12246,10 +12235,6 @@ seek_before_access(VALUE argp) * Opens the stream, reads and returns some or all of its content, * and closes the stream; returns +nil+ if no bytes were read. * - * When called from class \IO (but not subclasses of \IO), - * this method has potential security vulnerabilities if called with untrusted input; - * see {Command Injection}[rdoc-ref:security/command_injection.rdoc]. - * * The first argument must be a string that is the path to a file. * * With only argument +path+ given, reads in text mode and returns the entire content @@ -12317,10 +12302,6 @@ rb_io_s_read(int argc, VALUE *argv, VALUE io) * Behaves like IO.read, except that the stream is opened in binary mode * with ASCII-8BIT encoding. * - * When called from class \IO (but not subclasses of \IO), - * this method has potential security vulnerabilities if called with untrusted input; - * see {Command Injection}[rdoc-ref:security/command_injection.rdoc]. - * */ static VALUE @@ -12421,10 +12402,6 @@ io_s_write(int argc, VALUE *argv, VALUE klass, int binary) * Opens the stream, writes the given +data+ to it, * and closes the stream; returns the number of bytes written. * - * When called from class \IO (but not subclasses of \IO), - * this method has potential security vulnerabilities if called with untrusted input; - * see {Command Injection}[rdoc-ref:security/command_injection.rdoc]. - * * The first argument must be a string that is the path to a file. * * With only argument +path+ given, writes the given +data+ to the file at that path: @@ -12471,10 +12448,6 @@ rb_io_s_write(int argc, VALUE *argv, VALUE io) * Behaves like IO.write, except that the stream is opened in binary mode * with ASCII-8BIT encoding. * - * When called from class \IO (but not subclasses of \IO), - * this method has potential security vulnerabilities if called with untrusted input; - * see {Command Injection}[rdoc-ref:security/command_injection.rdoc]. - * */ static VALUE |