mirror of
https://github.com/ruby/ruby.git
synced 2026-01-29 21:44:28 +00:00
b304c149aa
[Feature #19630] This dangerous behavior was removed in 4.0 (996cae65f3cc8fed60c6bb758b00882cac49389d) but the documentation wasn't updated.
16 lines
416 B
Plaintext
16 lines
416 B
Plaintext
= Command Injection
|
|
|
|
Some Ruby core methods accept string data
|
|
that includes text to be executed as a system command.
|
|
|
|
They should not be called with unknown or unsanitized commands.
|
|
|
|
These methods include:
|
|
|
|
- Kernel.exec
|
|
- Kernel.spawn
|
|
- Kernel.system
|
|
- {\`command` (backtick method)}[rdoc-ref:Kernel#`]
|
|
(also called by the expression <tt>%x[command]</tt>).
|
|
- IO.popen (when called with other than <tt>"-"</tt>).
|