[ruby-core:69984] $SAFE inside an Array

[ruby-core:69984] $SAFE inside an Array

[Bertram Scharpf]

Hi,

I stepped through the C source code, and the longer I think
about it I'm convinced it is a real bug.

On Tuesday, 14. Jul 2015, 22:07:32 +0200, Bertram Scharpf wrote:
> [On ruby-talk]
> 
> is this an intended behaviour or is it a bug? I did boil
> down the problem I detected to the smallest possible code.
> 
>   class C
>     t = Thread.new do
>       $SAFE = 1
>       def inspect
>         "<C>"
>       end
>     end
>     t.join
>   end
>   c = C.new
>   puts c.inspect
>   puts [c].inspect
>   not_reached
> 
> The output is:
> 
>   <C>
>   insecure.rb:12:in `inspect': calling insecure method: inspect (SecurityError)
>           from insecure.rb:12:in `<main>'
> 
> Why is the first #inspect allowed but the second is not?
> Should I still use $SAFE at all?

The exception is being raised by the function rb_inspect()
but not by rb_obj_inspect(). The function rb_ary_inspect()
calls rb_inspect() for the objects it contains. The lonely
C#inspect call goes directly to rb_obj_inspect().

When I replace rb_inspect() by rb_obj_inspect() in
rb_ary_inspect(), no exception will be raised.

Either, Array#inspect should call rb_obj_inspect(), too, so
that both lines succeed. The other solution would be that
rb_obj_inspect() raises an exception as well.

This is a matter of programming logic far beyond the $SAFE
mechanism. Please make a decision.

Thanks in advance.

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de

[ruby-core:69985] Re: $SAFE inside an Array

[Bertram Scharpf]

Hi again,

On Wednesday, 15. Jul 2015, 22:35:12 +0200, Bertram Scharpf wrote:
> Either, Array#inspect should call rb_obj_inspect(), too, so
> that both lines succeed.

That was too fast. rb_obj_inspect(), of course, is something
else than C#inspect. This is not a solution.

Sorry.

Bertram


-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de

[ruby-core:69996] Re: $SAFE inside an Array

[Nobuyoshi Nakada]

On 2015/07/16 5:35, Bertram Scharpf wrote:
>> The output is:
>>
>>   <C>
>>   insecure.rb:12:in `inspect': calling insecure method: inspect (SecurityError)
>>           from insecure.rb:12:in `<main>'
>>
>> Why is the first #inspect allowed but the second is not?
>> Should I still use $SAFE at all?

It is fixed in the trunk.

[ruby-core:70002] Re: $SAFE inside an Array

[Bertram Scharpf]

On Thursday, 16. Jul 2015, 16:41:40 +0900, Nobuyoshi Nakada wrote:
> On 2015/07/16 5:35, Bertram Scharpf wrote:
> > > The output is:
> > >
> > >   <C>
> > >   insecure.rb:12:in `inspect': calling insecure method: inspect (SecurityError)
> > >           from insecure.rb:12:in `<main>'
> > >
> > > Why is the first #inspect allowed but the second is not?
> > > Should I still use $SAFE at all?
> 
> It is fixed in the trunk.

Thank you.

As far as I can see, it is here (from Git):

  commit 18bbd05709a4d52704ac217f30c0d9f35830b7f0                                                                                     
  Date:   2015-06-03 01:39:16 +0000             

    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50743 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

-- 
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de