I’m using Ruby’s system method. system(/bin/wget, -pk, -nd, -P, /public/download, #{URL}) where URL is

Question

0

Asked: June 14, 20262026-06-14T06:57:20+00:00 2026-06-14T06:57:20+00:00

I’m using Ruby’s system method. system(/bin/wget, -pk, -nd, -P, /public/download, #{URL}) where URL is

0

I’m using Ruby’s system method.

system("/bin/wget", "-pk", "-nd", "-P", "/public/download", "#{URL}")

where URL is filled in by the user.

What checks should I perform on the server against URL to make sure that the user is not doing something malicious?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-14T06:57:22+00:00

Editorial Team

2026-06-14T06:57:22+00:00Added an answer on June 14, 2026 at 6:57 am

My understanding is that in the way you’ve called it, you don’t have to worry about someone passing in say ; rm -rf *. However, if wget does anything special to the URL you might. For example, curl lets you do some regex/range/wildcard stuff in the URL itself.

You might consider running URL through URI.parse and catch URI::InvalidURIError.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m using Ruby’s system method. system(/bin/wget, -pk, -nd, -P, /public/download, #{URL}) where URL is

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply