Asp Forum - Using user supplied string String#include?

Tobias Reif

9/17/2007 3:54:00 PM

Hi

In a web app that will soon be out there in the vast and partially
evil web, I might take a string which a user supplied via an HTML
form, and use it roughly like this:

some_str.downcase.include?(user_supplied_str.downcase)

Would this be dangerous? Could the visitor smuggle in stuff like
backticks or #{}?

Should I increase $SAFE, use #taint, and filter out dangerous
characters?

Tobi

1 Answer

Jano Svitok

9/17/2007 7:48:00 PM

On 9/17/07, Tobi Reif <tobiasreif@pinkjuice.com> wrote:
> Hi
>
> In a web app that will soon be out there in the vast and partially
> evil web, I might take a string which a user supplied via an HTML
> form, and use it roughly like this:
>
> some_str.downcase.include?(user_supplied_str.downcase)
>
> Would this be dangerous? Could the visitor smuggle in stuff like
> backticks or #{}?

No. Here it's perfectly safe - you have to call eval to evaluate #{},
`` etc. Other dangerous actions might be "send", "class_eval", ... but
here you are not using any of them.

Servizio di avviso nuovi messaggi

Ricevi direttamente nella tua mail i nuovi messaggi per
Using user supplied string String#include?

Inserendo la tua e-mail nella casella sotto, riceverai un avviso tramite posta elettronica ogni volta che il motore di ricerca troverà un nuovo messaggio per te

Il servizio è completamente GRATUITO!

comp.lang.ruby

Using user supplied string String#include?

Tobias Reif

Jano Svitok

x Login to ForumsZone