added a tutorial for command injection

2013-07-10 20:42:04 -04:00
parent 82b5809bee
commit 14c1fb367d
2 changed files with 16 additions and 1 deletions
@@ -12,6 +12,13 @@ class Benefits < ActiveRecord::Base
 
 def self.make_backup(file, data_path, full_file_name)
   system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
+   # FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}"
 end
+
+=begin 
+ def self.make_backup(file, data_path, full_file_name)
+   FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}"
+ end
+=end 
 
 end
@@ -124,8 +124,16 @@
 			   </pre>
 			   <p><b>SQL Injection - SOLUTION</b></p>
 			   <p class="desc">
-				The solution is fairly simple and because this is so poorly done there are numerous ways to fix the vulnerability. One option, is to abstract a file creation method and pass it options such as the path and filename, then call it twice, once for the initial upload and another for the backup. Another option is to make a copy through the use of the 
+				The solution is fairly simple and because this is so poorly done there are numerous ways to fix the vulnerability. One option, is to abstract a file creation method and pass it options such as the path and filename, then call it twice, once for the initial upload and another for the backup. Another option is to make a copy through the use of the FileUtils. 
 			   </p>
+			   <p>
+				As an example:
+			   </p>	
+			   <pre class="ruby"> 
+					def self.make_backup(file, data_path, full_file_name)
+					   FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}"
+					 end
+			   </pre>	
            </div>
          </div>
        </div>