[openstreetmap/openstreetmap-website] Use Open3.capture2 instead of backticks, to avoid command line injection risks (#2597)
Andy Allan
notifications at github.com
Wed Apr 22 11:30:55 UTC 2020
In this situation, `trace_name` can be trivially checked as legitimate, but this removes any lingering risks from interpolating into a command line instead of passing parameters explicitly.
Refs #2229
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/openstreetmap-website/pull/2597
-- Commit Summary --
* Use Open3.capture2 instead of backticks, to avoid command line injection risks
-- File Changes --
M app/models/trace.rb (7)
-- Patch Links --
https://github.com/openstreetmap/openstreetmap-website/pull/2597.patch
https://github.com/openstreetmap/openstreetmap-website/pull/2597.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2597
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20200422/9294e3fd/attachment.htm>
More information about the rails-dev
mailing list