Open ooooooo-q opened 2 years ago
Thanks for the report. I don't know how I would build an allow list, especially considering the different processing backends. I will try adding a deny list for #send
, #public_send
, and #__send__
, as well as fix #method_missing
to also call #public_send
instead of #send
.
I confirmed from the https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada commit that there are other attack methods.
It seems that other unexpected behavior is possible, so I think it is better to make allow list and deal with it.