diff options
author | zzak <zzak@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2013-02-05 18:44:46 +0000 |
---|---|---|
committer | zzak <zzak@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2013-02-05 18:44:46 +0000 |
commit | 55f11348c3ba5129f9d4c6cd266e8fd9a02fd912 (patch) | |
tree | 9a497a33717fc254e1fefa7618f5c69a0fadd0dd /doc | |
parent | b614d7823c4d3dcb263577127db5e7e333573a4e (diff) |
* doc/security.rdoc: Remove documentation for unsafe CSV.load which
was deleted in r39077
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'doc')
-rw-r--r-- | doc/security.rdoc | 20 |
1 files changed, 0 insertions, 20 deletions
diff --git a/doc/security.rdoc b/doc/security.rdoc index c98011313d..566920a5c1 100644 --- a/doc/security.rdoc +++ b/doc/security.rdoc @@ -54,26 +54,6 @@ deserialized: Because of this, many of the security considerations applying to Marshal are also applicable to YAML. Do not use YAML to deserialize untrusted data. -== CSV - -Never use +CSV.load+ to parse untrusted CSV data. +CSV.load+ shares many of the -same issues as YAML and Marshal in that it will deserialize to arbitrary -classes: - - class,ERB - @src - puts `uname` - -However, CSV's +load+ method is significantly more dangerous than Marshal and -YAML as it will call arbitrary methods with attacker controlled arguments in -some cases: - - class,Object - eval - puts `uname` - -If you need to parse user supplied CSV data, use +CSV.parse+ instead. - == Symbols Symbols are often seen as syntax sugar for simple strings, but they play a much |