diff options
Diffstat (limited to 'doc/command_injection.rdoc')
-rw-r--r-- | doc/command_injection.rdoc | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/doc/command_injection.rdoc b/doc/command_injection.rdoc new file mode 100644 index 0000000000..ee33d4a04e --- /dev/null +++ b/doc/command_injection.rdoc @@ -0,0 +1,37 @@ += Command Injection + +Some Ruby core methods accept string data +that includes text to be executed as a system command. + +They should not be called with unknown or unsanitized commands. + +These methods include: + +- Kernel.exec +- Kernel.spawn +- Kernel.system +- {\`command` (backtick method)}[rdoc-ref:Kernel#`] + (also called by the expression <tt>%x[command]</tt>). +- IO.popen (when called with other than <tt>"-"</tt>). + +Some methods execute a system command only if the given path name starts +with a <tt>|</tt>: + +- Kernel.open(command). +- IO.read(command). +- IO.write(command). +- IO.binread(command). +- IO.binwrite(command). +- IO.readlines(command). +- IO.foreach(command). +- URI.open(command). + +Note that some of these methods do not execute commands when called +from subclass +File+: + +- File.read(path). +- File.write(path). +- File.binread(path). +- File.binwrite(path). +- File.readlines(path). +- File.foreach(path). |