TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

[ci skip] Avoid suggesting dangerous code in i18n guide

Browse Source 
Calling `to_sym` on user input opens apps up to Denial of Service attacks, via the symbol table being expanded to consume vast swathes of memory.

It is a fairly common configuration to have DNS configured such that all subdomains route to your Rails app, in which case an attacker visits `www1.foo.com`, `www2.foo.com`, and so on until something gives.

It is far less likely to have this problem with TLDs, so that change was only for consistency.
This commit is contained in:
Mike MacDonald 2014-04-15 21:03:28 -04:00
parent e665ce7141
commit 19b2bcc76d
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
guides/source/i18n.md
View File

@ -179,7 +179,7 @@ end
# in your /etc/hosts file to try this out locally
def extract_locale_from_tld
parsed_locale = request.host.split('.').last
I18n.available_locales.include?(parsed_locale.to_sym) ? parsed_locale : nil
I18n.available_locales.map(&:to_s).include?(parsed_locale) ? parsed_locale : nil
end
```
@ -192,7 +192,7 @@ We can also set the locale from the _subdomain_ in a very similar way:
# in your /etc/hosts file to try this out locally
def extract_locale_from_subdomain
parsed_locale = request.subdomains.first
I18n.available_locales.include?(parsed_locale.to_sym) ? parsed_locale : nil
I18n.available_locales.map(&:to_s).include?(parsed_locale) ? parsed_locale : nil
end
```