diff options
Diffstat (limited to 'doc/command_injection.rdoc')
| -rw-r--r-- | doc/command_injection.rdoc | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/doc/command_injection.rdoc b/doc/command_injection.rdoc deleted file mode 100644 index ee33d4a04e..0000000000 --- a/doc/command_injection.rdoc +++ /dev/null @@ -1,37 +0,0 @@ -= Command Injection - -Some Ruby core methods accept string data -that includes text to be executed as a system command. - -They should not be called with unknown or unsanitized commands. - -These methods include: - -- Kernel.exec -- Kernel.spawn -- Kernel.system -- {\`command` (backtick method)}[rdoc-ref:Kernel#`] - (also called by the expression <tt>%x[command]</tt>). -- IO.popen (when called with other than <tt>"-"</tt>). - -Some methods execute a system command only if the given path name starts -with a <tt>|</tt>: - -- Kernel.open(command). -- IO.read(command). -- IO.write(command). -- IO.binread(command). -- IO.binwrite(command). -- IO.readlines(command). -- IO.foreach(command). -- URI.open(command). - -Note that some of these methods do not execute commands when called -from subclass +File+: - -- File.read(path). -- File.write(path). -- File.binread(path). -- File.binwrite(path). -- File.readlines(path). -- File.foreach(path). |