From mboxrd@z Thu Jan 1 00:00:00 1970 Delivered-To: chneukirchen@gmail.com Received: by 10.86.99.8 with SMTP id w8cs91138fgb; Mon, 5 Oct 2009 16:03:01 -0700 (PDT) Received-SPF: pass (google.com: domain of grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com designates 10.142.8.40 as permitted sender) client-ip=10.142.8.40; Authentication-Results: mr.google.com; spf=pass (google.com: domain of grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com designates 10.142.8.40 as permitted sender) smtp.mail=grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com; dkim=pass header.i=grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com Received: from mr.google.com ([10.142.8.40]) by 10.142.8.40 with SMTP id 40mr1076543wfh.10.1254783780877 (num_hops = 1); Mon, 05 Oct 2009 16:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=beta; h=domainkey-signature:received:received:x-sender:x-apparently-to :received:received:received:received-spf:received:date:from:to :subject:message-id:references:mime-version:content-type :content-disposition:in-reply-to:user-agent:reply-to:sender :precedence:x-google-loop:mailing-list:list-id:list-post:list-help :list-unsubscribe:x-beenthere-env:x-beenthere; bh=zZAi6d0LWTQrcb7Z64pbfIHvkHgC5fVr9veQb4DNHf4=; b=U3lANpaGO9S7I9nlShPO9AFilMhx8o/UFK8MgIUjcS089/oX/1MQGphH48J3etCH/l Tln29RKwM+fPPh8BomEmveSyHp0wdSG/bj9AkKWdzvNuI9cz4g0DoWuLKh945Cqyb19x yUmJ4L1MC1YPPutMUGgMT/hv6j+0nBtpkXNEw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlegroups.com; s=beta; h=x-sender:x-apparently-to:received-spf:authentication-results:date :from:to:subject:message-id:references:mime-version:content-type :content-disposition:in-reply-to:user-agent:reply-to:sender :precedence:x-google-loop:mailing-list:list-id:list-post:list-help :list-unsubscribe:x-beenthere-env:x-beenthere; b=jA04TbdU+Vb8IymH+EQ9ScfhmPBBUZb/LfI68CgQgT3IvwGRnFZ/hO9aWtYHtSIhFf hQyb4QFs4avGQyj5tNmYi5aPqtRLOsEQ1/kYnn6xFdvqETb40rvwMLywZsCXiSLzMrvr 8vF19/CXGvQyNM8WY1fB5c18IDzARIFjO0SKQ= Received: by 10.142.8.40 with SMTP id 40mr98363wfh.10.1254783780828; Mon, 05 Oct 2009 16:03:00 -0700 (PDT) Received: by 10.106.154.17 with SMTP id b17gr1678pre.0; Mon, 05 Oct 2009 16:02:50 -0700 (PDT) X-Sender: normalperson@yhbt.net X-Apparently-To: rack-devel@googlegroups.com Received: by 10.143.21.41 with SMTP id y41mr989226wfi.23.1254783768505; Mon, 05 Oct 2009 16:02:48 -0700 (PDT) Received: by 10.143.21.41 with SMTP id y41mr989225wfi.23.1254783768475; Mon, 05 Oct 2009 16:02:48 -0700 (PDT) Return-Path: Received: from dcvr.yhbt.net (dcvr.yhbt.net [64.71.152.64]) by gmr-mx.google.com with ESMTP id 3si983211pxi.5.2009.10.05.16.02.48; Mon, 05 Oct 2009 16:02:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of normalperson@yhbt.net designates 64.71.152.64 as permitted sender) client-ip=64.71.152.64; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: best guess record for domain of normalperson@yhbt.net designates 64.71.152.64 as permitted sender) smtp.mail=normalperson@yhbt.net Received: from localhost (user-118bg0q.cable.mindspring.com [66.133.192.26]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPSA id 6CAD91F5F3; Mon, 5 Oct 2009 23:02:47 +0000 (UTC) Date: Mon, 5 Oct 2009 16:02:46 -0700 From: Eric Wong To: rack-devel@googlegroups.com Subject: Re: Questions about the Prohibition of String Subclasses in responses Message-ID: <20091005230246.GA27564@dcvr.yhbt.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Reply-To: rack-devel@googlegroups.com Sender: rack-devel@googlegroups.com Precedence: bulk X-Google-Loop: groups Mailing-List: list rack-devel@googlegroups.com; contact rack-devel+owner@googlegroups.com List-Id: List-Post: List-Help: List-Unsubscribe: , X-BeenThere-Env: rack-devel@googlegroups.com X-BeenThere: rack-devel@googlegroups.com Michael Koziarski wrote: > > Hey Guys, > > As I prepare to merge the new on-by-default XSS protection into rails > I'm bumping up against a constraint in rack, and I'm having trouble > figuring out why it's there. > > http://github.com/chneukirchen/rack/blob/master/lib/rack/lint.rb#L465-475 > > Our XSS safe responses will fail this test because they return an > instance of ActionView::SafeBuffer which is a subclass of String. We > use a subclass so that we can make all the concat and append > operations escape their arguments. > > What's the rationale for preventing me from sending a subclass of > string? Not speaking for anyone else here, but this may break C extensions at this point. It was probably done this way to make extensions easier to implement. The core Ruby IO functions all call rb_obj_as_string() to convert their arguments to strings, but some extensions out there may not[1]. [1] *my* C extensions are safe against this, of course :) -- Eric Wong