diff options
Diffstat (limited to 'doc/command_injection.rdoc')
-rw-r--r-- | doc/command_injection.rdoc | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/doc/command_injection.rdoc b/doc/command_injection.rdoc index 8f1303bcf7..ee33d4a04e 100644 --- a/doc/command_injection.rdoc +++ b/doc/command_injection.rdoc @@ -1,4 +1,4 @@ -== Command Injection += Command Injection Some Ruby core methods accept string data that includes text to be executed as a system command. @@ -7,19 +7,27 @@ They should not be called with unknown or unsanitized commands. These methods include: +- Kernel.exec +- Kernel.spawn - Kernel.system -- {`command` (backtick method)}[rdoc-ref:Kernel#`] +- {\`command` (backtick method)}[rdoc-ref:Kernel#`] (also called by the expression <tt>%x[command]</tt>). -- IO.popen(command). +- IO.popen (when called with other than <tt>"-"</tt>). + +Some methods execute a system command only if the given path name starts +with a <tt>|</tt>: + +- Kernel.open(command). - IO.read(command). - IO.write(command). - IO.binread(command). - IO.binwrite(command). - IO.readlines(command). - IO.foreach(command). +- URI.open(command). Note that some of these methods do not execute commands when called -from subclass \File: +from subclass +File+: - File.read(path). - File.write(path). |