diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/security.rdoc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/doc/security.rdoc b/doc/security.rdoc index 5fb7b158b0..2a610f1557 100644 --- a/doc/security.rdoc +++ b/doc/security.rdoc @@ -75,9 +75,10 @@ They are created when modifying code: * defining a method (e.g. with +define_method+), * setting an instance variable (e.g. with +instance_variable_set+), * creating a variable or constant (e.g. with +const_set+) -Because of a bug, +send+ and +__send__+ also create immortal symbols. -Finally, C extensions that have not been updated and are still calling `ID2SYM` +C extensions that have not been updated and are still calling `ID2SYM` will create immortal symbols. +Bugs in 2.2.0: +send+ and +__send__+ also created immortal symbols, +and calling methods with keyword arguments could also create some. Don't create immortal symbols from user inputs. Otherwise, this would allow a user to mount a denial of service attack against your application by |