very insteresting :D I did not know it, fortunely, I use in real work
a URI validation before

irb(main):379:0> open(URI '|touch n;\nhttp://url.com')
URI::InvalidURIError: bad URI(is not URI?): |touch n;\nhttp://url.com


Thread name: "Re: Fwd: [ANN] http.rb 0.8.0: a fast, streaming HTTP library with a chainable API" 
Mail number: 3 
Date: Thu, Apr 02, 2015 
In reply to: Tony Arcieri 
>
> On Thu, Apr 2, 2015 at 9:50 AM, Lzaro Armando <lazaro / hcg.sld.cu> wrote:
> 
> > tell me one more thing, because open-uri
> >
> > open('http://www.sld.cu').read
> >
> 
> Except you just leaked a file descriptor. You probably want to do:
> 
> open('http://www.sld.cu') { |conn| conn.read }
> 
> 
> > do exactly the same thing
> >
> 
> Hope you're not passing attacker-controlled data to that!
> 
> http://sakurity.com/blog/2015/02/28/openuri.html
> 
> -- 
> Tony Arcieri