summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/security.rdoc5
1 files changed, 3 insertions, 2 deletions
diff --git a/doc/security.rdoc b/doc/security.rdoc
index 5fb7b15..2a610f1 100644
--- a/doc/security.rdoc
+++ b/doc/security.rdoc
@@ -75,9 +75,10 @@ They are created when modifying code:
* defining a method (e.g. with +define_method+),
* setting an instance variable (e.g. with +instance_variable_set+),
* creating a variable or constant (e.g. with +const_set+)
-Because of a bug, +send+ and +__send__+ also create immortal symbols.
-Finally, C extensions that have not been updated and are still calling `ID2SYM`
+C extensions that have not been updated and are still calling `ID2SYM`
will create immortal symbols.
+Bugs in 2.2.0: +send+ and +__send__+ also created immortal symbols,
+and calling methods with keyword arguments could also create some.
Don't create immortal symbols from user inputs. Otherwise, this would
allow a user to mount a denial of service attack against your application by