Skip to content

Recomend using String#dump when embedding user-input into output/exceptions/log messages #4

Open
Open
Recomend using String#dump when embedding user-input into output/exceptions/log messages#4
Labels
Future-SecureCodingPriority-MediumType-Defectauto-migrated
@GoogleCodeExporter

Description

@GoogleCodeExporter
GoogleCodeExporter
opened on Apr 8, 2015
Simply embedding a variable into a String, which is then printed or written to 
a log file may result in forged messages. Instead, String#dump should be called.

puts "Received message: #{mesg.dump}"

log.info "User logged in: #{username.dump}"

raise("invalid command: #{command.dump}")

Original issue reported on code.google.com by postmode...@gmail.com on 21 Sep 2012 at 1:25

Metadata

Metadata

Assignees

No one assigned

    Labels

    Future-SecureCodingPriority-MediumType-Defectauto-migrated

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions