Rails Ev(i|a)l @ April Fools Days

标签 Rails 2009-04-01

First. Create a evil, oh no, a eval controller.

app/controllers/ruby_eval_controller.rb

#!ruby
Class RubyEvalController < ApplicationController
  def do
    if @result = eval(params[:ruby])
      render :xml => @result
    else
      head :ok
    end
  end
end

Then. Let’s post some evil params.

POST /ruby_eval

#!xml
<?xml version="1.0" encoding="UTF-8" ?> 
<ruby>User.find_by_intro('I am eval or evil?')</ruby>