> On Jul 12, 2016, at 10:19 AM, Frederick Cheung <[email protected]> > wrote: > > > On Sunday, July 10, 2016 at 4:28:39 PM UTC+1, Walter Lee Davis wrote: > I was just looking over some code I wrote last year, and found this in one of > my mailers: > > @item = eval(params[:item].classify).send(:find, params[:item_id]) > > The idea here is that I can have the mailer respond to a polymorphic link > helper, and respond with an object reference of the referenced object, > regardless which it was -- a Project, Campaign, Asset, Lightbox -- whatever. > Inside the mailer erb, any links to that object would be as simple as > > link_to @item.label, polymorphic_url(@item) > > ...so my mailer messages don't have to care what sort of object they are > sending a link to. This year, seeing send in the same line as params is > giving me the willies. Hence my question here. > > Besides adding some guards around which classes I want to allow this for > (which just occurred to me as I was typing this out) can you recommend any > other techniques to make this less risky? Is there anything built into the > framework that I am overlooking? > > > > I would prefer constantize over eval(foo.classify) and public_send over send. > I'd still be happier with a whitelist though, or translating between the > class name and some string that represents it - security aside, having an > implementation detail leak out like that doesn't smell too good. > > Fred
Those are good ideas, thanks, Fred! Walter > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/rubyonrails-talk/afb0c898-4781-4097-a3cc-b74b12e1405d%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/876CFB52-5F0F-4F73-AF07-730C16891CC4%40wdstudio.com. For more options, visit https://groups.google.com/d/optout.
