Permalink
Browse files

Preventing security vulnerability where users could call "puts ENV"

  • Loading branch information...
1 parent 6586f24 commit 31ab9a3aa9ce544ea619e9ed48419a5dfc29a92a David Davis committed Apr 1, 2012
Showing with 2 additions and 1 deletion.
  1. +2 −1 lib/sicuro/base.rb
View
@@ -136,7 +136,8 @@ def self._safe_eval(code, memlimit)
begin
output_io = $stdout = $stderr = StringIO.new
- code = '$SAFE = 3; BEGIN { $SAFE=3 };' + code
+ remove_env = "Object.class_eval { remove_const :ENV };"
+ code = remove_env + '$SAFE = 3; BEGIN { $SAFE=3 };' + code
result = ::Kernel.eval(code, TOPLEVEL_BINDING)
rescue Exception => e

0 comments on commit 31ab9a3

Please sign in to comment.