path: root/doc
diff options
authormarcandre <marcandre@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2015-02-04 16:41:38 +0000
committermarcandre <marcandre@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2015-02-04 16:41:38 +0000
commit8350b7dc04ad2af3473c91e680ca05a140243101 (patch)
treebad2be13c66edd28e4e7a215f773a80804e52a4c /doc
parentda1330c85a87b0c6de4869a4550f2be2268ef09a (diff)
* doc/security.rdoc: [DOC] ammend symbols section for bug with send [ci-skip]
git-svn-id: svn+ssh:// b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'doc')
1 files changed, 3 insertions, 2 deletions
diff --git a/doc/security.rdoc b/doc/security.rdoc
index 5257aba..5fb7b15 100644
--- a/doc/security.rdoc
+++ b/doc/security.rdoc
@@ -75,7 +75,8 @@ They are created when modifying code:
* defining a method (e.g. with +define_method+),
* setting an instance variable (e.g. with +instance_variable_set+),
* creating a variable or constant (e.g. with +const_set+)
-Also, C extensions that have not been updated and are still calling `ID2SYM`
+Because of a bug, +send+ and +__send__+ also create immortal symbols.
+Finally, C extensions that have not been updated and are still calling `ID2SYM`
will create immortal symbols.
Don't create immortal symbols from user inputs. Otherwise, this would
@@ -84,7 +85,7 @@ flooding it with unique strings, which will cause memory to grow indefinitely
until the Ruby process is killed or causes the system to slow to a halt.
While it might not be a good idea to call these with user inputs, methods that
-used to be vulnerable such as +to_sym+, +send+, +respond_to?+,
+used to be vulnerable such as +to_sym+, +respond_to?+,
+method+, +instance_variable_get+, +const_get+, etc. are no longer a threat.
== Regular expressions