From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id B648F17D5F39 for ; Mon, 3 Mar 2014 19:05:26 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (smtp.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 246C1B5D944 for ; Mon, 3 Mar 2014 18:59:44 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 574ED97A83A for ; Mon, 3 Mar 2014 18:59:46 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlGvLRBDflWj for ; Mon, 3 Mar 2014 18:59:46 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id EE06C97A834 for ; Mon, 3 Mar 2014 18:59:45 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 78A6295241B for ; Mon, 3 Mar 2014 18:59:43 +0900 (JST) Received: from [221.186.184.76] (unknown [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id C2C3E1206A0; Mon, 3 Mar 2014 18:59:41 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o10.shared.sendgrid.net (o10.shared.sendgrid.net [173.193.132.135]) by neon.ruby-lang.org (Postfix) with SMTP id BC84412058D for ; Mon, 3 Mar 2014 18:59:39 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=CvgMYEEAPPy+7BjM6fa8hzJYqsM=; b=HwmIwZO7q4WLMj/umP lzPy1iHmPeI49Y2gVhGiAf1mq06m+AsyCCAcWFKcUQiOb0qyu7wsfTICY5weCgXo 5eFZ+IJKHcC4791FK3g/EH6SIkMiNA6KOtu68IA7cMoa9NDnUt8L6Z72o6Em6P45 LrR+CMW0gy3zPtFnze/0qTSwg= Received: by mf195.sendgrid.net with SMTP id mf195.40174.5314528A1 Mon, 03 Mar 2014 09:59:38 +0000 (UTC) Received: from herokuapp.com (ec2-107-22-24-219.compute-1.amazonaws.com [107.22.24.219]) by ismtpd-026 (SG) with ESMTP id 14487626b56.741c.7a3e15 for ; Mon, 03 Mar 2014 09:59:38 +0000 (GMT) Date: Mon, 03 Mar 2014 09:59:37 +0000 From: shugo@ruby-lang.org To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 35075 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 9588 X-Redmine-Issue-Author: jrusnack X-Redmine-Sender: shugo X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: OOF Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS5nd56DOpMSCffXoSgEWvAbRtqZ8mtQhDxrADfATFUKDv0Jk7OKH5088GfzXtlz8yj0fIRiSSFEDPR2P85xCIgCT283UOhdGDrd0DvIDhSuia2IAyd+eDokDMHHHnBi1MQ= X-ML-Name: ruby-core X-Mail-Count: 61251 Subject: [ruby-core:61251] [ruby-trunk - Bug #9588] program name variables tainted X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #9588 has been updated by Shugo Maeda. Jan Rusnacko wrote: > [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb > $0: ./tainted.rb, tainted? false > __FILE__: ./tainted.rb, tainted? true > $PROGRAM_NAME: ./tainted.rb, tainted? false I guess it's a regression introduced in r20656. Or did you mean not to taint $0, Yugui? ---------------------------------------- Bug #9588: program name variables tainted https://bugs.ruby-lang.org/issues/9588#change-45591 * Author: Jan Rusnacko * Status: Open * Priority: Normal * Assignee: * Category: * Target version: * ruby -v: 1.8.7, 1.9.3, 2.0.0 * Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- I have noticed inconsistency in taint flag of program name: [jrusnack@dhcp-31-42 ruby-safe]$ cat tainted.rb #!/usr/bin/env ruby puts "$0: #{$0}, tainted? #{$0.tainted?}" puts "__FILE__: #{__FILE__}, tainted? #{__FILE__.tainted?}" puts "$PROGRAM_NAME: #{$PROGRAM_NAME}, tainted? #{$PROGRAM_NAME.tainted?}" [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.8.7 Using /home/jrusnack/.rvm/gems/ruby-1.8.7-p374 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb $0: ./tainted.rb, tainted? true __FILE__: ./tainted.rb, tainted? false $PROGRAM_NAME: ./tainted.rb, tainted? true [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.9.3 Using /home/jrusnack/.rvm/gems/ruby-1.9.3-p484 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb $0: ./tainted.rb, tainted? false __FILE__: ./tainted.rb, tainted? true $PROGRAM_NAME: ./tainted.rb, tainted? false [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 2.0.0 Using /home/jrusnack/.rvm/gems/ruby-2.0.0-p353 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb $0: ./tainted.rb, tainted? false __FILE__: ./tainted.rb, tainted? true $PROGRAM_NAME: ./tainted.rb, tainted? false -- http://bugs.ruby-lang.org/