diff options
| author | Mike MacDonald <crazymykl@gmail.com> | 2014-04-15 21:03:28 -0400 |
|---|---|---|
| committer | Mike MacDonald <crazymykl@gmail.com> | 2014-04-15 21:19:00 -0400 |
| commit | 19b2bcc76dde5f35d9b98ecf04c95198ab91dacc (patch) | |
| tree | c5fbe8b352b3dba6db59dc031c3f2e7a46ce6505 | |
| parent | e665ce714133bfc0b45a20359c7d5af86bfb54d9 (diff) | |
| download | rails-19b2bcc76dde5f35d9b98ecf04c95198ab91dacc.tar.gz rails-19b2bcc76dde5f35d9b98ecf04c95198ab91dacc.tar.bz2 rails-19b2bcc76dde5f35d9b98ecf04c95198ab91dacc.zip | |
[ci skip] Avoid suggesting dangerous code in i18n guide
Calling `to_sym` on user input opens apps up to Denial of Service attacks, via the symbol table being expanded to consume vast swathes of memory.
It is a fairly common configuration to have DNS configured such that all subdomains route to your Rails app, in which case an attacker visits `www1.foo.com`, `www2.foo.com`, and so on until something gives.
It is far less likely to have this problem with TLDs, so that change was only for consistency.
| -rw-r--r-- | guides/source/i18n.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/guides/source/i18n.md b/guides/source/i18n.md index 466ffe7907..62516bfd75 100644 --- a/guides/source/i18n.md +++ b/guides/source/i18n.md @@ -179,7 +179,7 @@ end # in your /etc/hosts file to try this out locally def extract_locale_from_tld parsed_locale = request.host.split('.').last - I18n.available_locales.include?(parsed_locale.to_sym) ? parsed_locale : nil + I18n.available_locales.map(&:to_s).include?(parsed_locale) ? parsed_locale : nil end ``` @@ -192,7 +192,7 @@ We can also set the locale from the _subdomain_ in a very similar way: # in your /etc/hosts file to try this out locally def extract_locale_from_subdomain parsed_locale = request.subdomains.first - I18n.available_locales.include?(parsed_locale.to_sym) ? parsed_locale : nil + I18n.available_locales.map(&:to_s).include?(parsed_locale) ? parsed_locale : nil end ``` |