From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 5358D19803F8 for ; Fri, 14 Aug 2015 14:24:47 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 03EDCB5D896 for ; Fri, 14 Aug 2015 14:59:47 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id BE12C97A82C for ; Fri, 14 Aug 2015 14:59:48 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x92chjkPM0Nx for ; Fri, 14 Aug 2015 14:59:48 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 91B1597A827 for ; Fri, 14 Aug 2015 14:59:48 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id CAE9D952408 for ; Fri, 14 Aug 2015 14:59:46 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id A2E7F12044C; Fri, 14 Aug 2015 14:59:45 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o10.shared.sendgrid.net (o10.shared.sendgrid.net [173.193.132.135]) by neon.ruby-lang.org (Postfix) with ESMTPS id 4ECC5120400 for ; Fri, 14 Aug 2015 14:59:42 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=WG1E59loXqLumpminqYs1/SKtyg=; b=Fnyw9lMbyofDahsjoG 7bn0GJtwB6JvDpdTxQSmhEC2lpH1szHwZCpO0HdAD/U7GoAUyHxLDxYbKEyV9UvL lk6U5WeKt64lt9/WD9tAZrIbvSSJJxLu4LQj1ofWAAf+YDSRPRhEBsdoKGuOzecJ SVgl4iAXwmq7pw1A4DM9vLmIU= Received: by filter0568p1mdw1.sendgrid.net with SMTP id filter0568p1mdw1.9249.55CD83CB9 2015-08-14 05:59:39.510295178 +0000 UTC Received: from herokuapp.com (ec2-23-22-150-187.compute-1.amazonaws.com [23.22.150.187]) by ismtpd0003p1iad1.sendgrid.net (SG) with ESMTP id VgzT3XY8Qt-alP9PRe8VCQ Fri, 14 Aug 2015 05:59:39 +0000 (UTC) Date: Fri, 14 Aug 2015 05:59:39 +0000 From: gwelch925@gmail.com To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 44983 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 11442 X-Redmine-Issue-Author: gwelch X-Redmine-Issue-Assignee: matz X-Redmine-Sender: gwelch X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS6Vn5wow8QOKqpF0KQQC9QCMbTHpX7E5Buknl ej+xVhgarMombTtXBR9RQ7jS2g1TaoTU2E4TkUALeNVwa2r21b1lD16dxc3TeqtC/47uLiryeetb/v gdqwnYqSnfTmVVc= X-ML-Name: ruby-core X-Mail-Count: 70380 Subject: [ruby-core:70380] [Ruby trunk - Bug #11442] Bug: Symbols should be taintable. X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #11442 has been updated by Grant Welch. Subject changed from String#to_sym returns an untainted Symbol. to Bug: Symbols should be taintable. After some additional testing, I've come to the conclusion that Symbols cannot be tainted (example below). I expect this may be due to the fact that symbols have a dual meaning. 1) They are a String because we want them to be human-readable, and 2) they are a Number so they can be quickly retrieved. It's understandable that Numbers don't carry a taint flag, but since Symbols have practical use cases in place of Strings, they should carry over 'tainted?' when coming from String#to_sym. ~~~ proc {$SAFE=3;(a = :foo).tainted?}.call # => false ~~~ ~~~ a = :foo a.taint a.tainted? # => false ~~~ Note: I have come to the conclusion that the behavior is as expected, but I am leaving the issue as a Bug (rather than a Feature) because the logic that Symbols should be un-taintable is flawed. ---------------------------------------- Bug #11442: Bug: Symbols should be taintable. https://bugs.ruby-lang.org/issues/11442#change-53783 * Author: Grant Welch * Status: Open * Priority: Normal * Assignee: Yukihiro Matsumoto * ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN ---------------------------------------- Subject: String#to_sym returns an untainted Symbol. Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some. --------------------------------------------------------------- # Proof of Concept: ~~~ # cat untainted_sym.rb #!/usr/bin/env ruby -w print 'Enter a string? ' a = gets puts "a: #{a.inspect}, tainted? #{a.tainted?}" b = a.to_sym puts "b: #{b.inspect}, tainted? #{b.tainted?}" c = b.to_s puts "c: #{c.inspect}, tainted? #{c.tainted?}" puts "a == c: #{a == c}" ~~~ # Output: ~~~ $ ruby -w untainted_sym.rb Enter a string? foobar a: "foobar\n", tainted? true b: :"foobar\n", tainted? false c: "foobar\n", tainted? false a == c: true ~~~ # Sample Workaround: (to provide the expected SecurityError) ~~~ # safe_level, 1 or 2 # uncertain_var, some variable that could, potentially, be tainted untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call # => Symbol for untainted var, SecurityError for tainted var ~~~ # Versions Tested: * ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux] * ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux] * ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux] * ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux] -- https://bugs.ruby-lang.org/