blob: d46e42f7be73fbddeaae1fbb4afaf98e0db3d938 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
= Command Injection
Some Ruby core methods accept string data
that includes text to be executed as a system command.
They should not be called with unknown or unsanitized commands.
These methods include:
- Kernel.exec
- Kernel.spawn
- Kernel.system
- {\`command` (backtick method)}[rdoc-ref:Kernel#`]
(also called by the expression <tt>%x[command]</tt>).
- IO.popen (when called with other than <tt>"-"</tt>).
|
