Export to GitHub

ruby-security - issue #2

Mention that send() can call itself


Posted on Sep 21, 2012 by Helpful Rhino

Limiting send() to only calling methods listed in self.class.public_instance_methods can easily be bypassed by having send call itself.

send(:send,:instance_eval,"system('whoami')")

Comment #1

Posted on Sep 21, 2012 by Happy Bird

FYI: there's an example of:

"kumys".send("send", "send", :send, "length")

which illustrates this point.

Status: WontFix

Labels:
Type-Defect Priority-Medium