Improve security guide by avoiding single character block argument names
For a start it's easier to grasp what the argument actually means. For another thing it's much more consistent with the other parts of the guide.
This commit is contained in:
parent
39d22f9bf2
commit
a330b7262e
@ -908,21 +908,21 @@ system("/bin/echo","hello; rm *")
|
|||||||
`Kernel#open` executes OS command if the argument starts with a vertical bar (`|`).
|
`Kernel#open` executes OS command if the argument starts with a vertical bar (`|`).
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
open('| ls') { |f| f.read }
|
open('| ls') { |file| file.read }
|
||||||
# returns file list as a String via `ls` command
|
# returns file list as a String via `ls` command
|
||||||
```
|
```
|
||||||
|
|
||||||
Countermeasures are to use `File.open`, `IO.open` or `URI#open` instead. They don't execute an OS command.
|
Countermeasures are to use `File.open`, `IO.open` or `URI#open` instead. They don't execute an OS command.
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
File.open('| ls') { |f| f.read }
|
File.open('| ls') { |file| file.read }
|
||||||
# doesn't execute `ls` command, just opens `| ls` file if it exists
|
# doesn't execute `ls` command, just opens `| ls` file if it exists
|
||||||
|
|
||||||
IO.open(0) { |f| f.read }
|
IO.open(0) { |file| file.read }
|
||||||
# opens stdin. doesn't accept a String as the argument
|
# opens stdin. doesn't accept a String as the argument
|
||||||
|
|
||||||
require 'open-uri'
|
require 'open-uri'
|
||||||
URI('https://example.com').open { |f| f.read }
|
URI('https://example.com').open { |file| file.read }
|
||||||
# opens the URI. `URI()` doesn't accept `| ls`
|
# opens the URI. `URI()` doesn't accept `| ls`
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -1098,22 +1098,22 @@ Example controller overrides:
|
|||||||
```ruby
|
```ruby
|
||||||
# Override policy inline
|
# Override policy inline
|
||||||
class PostsController < ApplicationController
|
class PostsController < ApplicationController
|
||||||
content_security_policy do |p|
|
content_security_policy do |policy|
|
||||||
p.upgrade_insecure_requests true
|
policy.upgrade_insecure_requests true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Using literal values
|
# Using literal values
|
||||||
class PostsController < ApplicationController
|
class PostsController < ApplicationController
|
||||||
content_security_policy do |p|
|
content_security_policy do |policy|
|
||||||
p.base_uri "https://www.example.com"
|
policy.base_uri "https://www.example.com"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Using mixed static and dynamic values
|
# Using mixed static and dynamic values
|
||||||
class PostsController < ApplicationController
|
class PostsController < ApplicationController
|
||||||
content_security_policy do |p|
|
content_security_policy do |policy|
|
||||||
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
policy.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user