diff options
Diffstat (limited to 'railties')
| -rw-r--r-- | railties/guides/source/security.textile | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 066da15573..6b84ca1965 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -528,7 +528,7 @@ Ruby uses a slightly different approach than many other languages to match the e <ruby> class File < ActiveRecord::Base - validates_format_of :name, :with => /^[\w\.\-\+]+$/ # [1] + validates_format_of :name, :with => /^[\w\.\-\+]+$/ end </ruby> @@ -541,13 +541,9 @@ file.txt%0A<script>alert('hello')</script> Whereas %0A is a line feed in URL encoding, so Rails automatically converts it to "file.txt\n<script>alert('hello')</script>". This file name passes the filter because the regular expression matches – up to the line end, the rest does not matter. The correct expression should read: <ruby> -/\A[\w\.\-\+]+\z/ # [2] +/\A[\w\.\-\+]+\z/ </ruby> -fn1. Obviously, this regular expression gets rendered incorrectly by Textile. Could the original author please see into this? - -fn2. And this too, please. - h4. Privilege escalation -- _Changing a single parameter may give the user unauthorized access. Remember that every parameter may be changed, no matter how much you hide or obfuscate it._ |