From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ruby-core-bounces@ruby-lang.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS4713 221.184.0.0/13
X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham
	autolearn_force=no version=3.4.2
Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75])
	by dcvr.yhbt.net (Postfix) with ESMTP id 4A3191F461
	for <normalperson@yhbt.net>; Fri, 12 Jul 2019 02:01:40 +0000 (UTC)
Received: from neon.ruby-lang.org (localhost [IPv6:::1])
	by neon.ruby-lang.org (Postfix) with ESMTP id B3641120B26;
	Fri, 12 Jul 2019 11:01:28 +0900 (JST)
Received: from o1678916x28.outbound-mail.sendgrid.net
 (o1678916x28.outbound-mail.sendgrid.net [167.89.16.28])
 by neon.ruby-lang.org (Postfix) with ESMTPS id 7C927120B1F
 for <ruby-core@ruby-lang.org>; Fri, 12 Jul 2019 11:01:26 +0900 (JST)
Received: by filter0104p3las1.sendgrid.net with SMTP id
 filter0104p3las1-5484-5D27E9F5-C
 2019-07-12 02:01:25.379039142 +0000 UTC m=+713067.221902424
Received: from herokuapp.com (unknown [3.82.203.4])
 by ismtpd0009p1iad2.sendgrid.net (SG) with ESMTP id kkkKky1gQKSJH0J7-LXx6w
 for <ruby-core@ruby-lang.org>; Fri, 12 Jul 2019 02:01:25.299 +0000 (UTC)
Date: Fri, 12 Jul 2019 02:01:25 +0000 (UTC)
From: merch-redmine@jeremyevans.net
Message-ID: <redmine.journal-79317.20190712020123.835c57cfbd2e3218@ruby-lang.org>
References: <redmine.issue-9588.20140303090945@ruby-lang.org>
Mime-Version: 1.0
X-Redmine-MailingListIntegration-Message-Ids: 69194
X-Redmine-Project: ruby-trunk
X-Redmine-Issue-Id: 9588
X-Redmine-Issue-Author: jrusnack
X-Redmine-Sender: jeremyevans0
X-Mailer: Redmine
X-Redmine-Host: bugs.ruby-lang.org
X-Redmine-Site: Ruby Issue Tracking System
X-Auto-Response-Suppress: All
Auto-Submitted: auto-generated
X-SG-EID: =?us-ascii?Q?RVE3t853K5scBhbmJHUzZTFFeVC=2FZSUmHZ0Dc+26wcEi2CTgsF1oz0wTSSxGGN?=
 =?us-ascii?Q?BI5pTSUFAJwFcbtbPds4HnJXzQWaUAaEAWRyB=2FR?=
 =?us-ascii?Q?ue1pRdYR31aAxXypA7jh1lEQR5lrrGC9KqJ6H0J?=
 =?us-ascii?Q?Tr3p2CMDCKB+hSotgZKOIo0n3rjREGi9pHtnHKf?=
 =?us-ascii?Q?YVoQ=2F6l=2F+k3PccL4TxNpG2U3cePz+CTXz7A=3D=3D?=
To: ruby-core@ruby-lang.org
X-ML-Name: ruby-core
X-Mail-Count: 93699
Subject: [ruby-core:93699] [Ruby master Bug#9588] program name variables
	tainted
X-BeenThere: ruby-core@ruby-lang.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Ruby developers <ruby-core@ruby-lang.org>
List-Id: Ruby developers <ruby-core.ruby-lang.org>
List-Unsubscribe: <https://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>, 
 <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
List-Post: <mailto:ruby-core@ruby-lang.org>
List-Help: <mailto:ruby-core-request@ruby-lang.org?subject=help>
List-Subscribe: <https://lists.ruby-lang.org/cgi-bin/mailman/listinfo/ruby-core>, 
 <mailto:ruby-core-request@ruby-lang.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ruby-core-bounces@ruby-lang.org
Sender: "ruby-core" <ruby-core-bounces@ruby-lang.org>

Issue #9588 has been updated by jeremyevans0 (Jeremy Evans).

Backport deleted (1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN)

It looks like `$0`, `__FILE__`, and `$PROGRAM_NAME` have been not tainted since 2.1.  I'm not sure if this is still considered a bug or not.

----------------------------------------
Bug #9588: program name variables tainted
https://bugs.ruby-lang.org/issues/9588#change-79317

* Author: jrusnack (Jan Rusnacko)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 1.8.7, 1.9.3, 2.0.0
* Backport: 
----------------------------------------
I have noticed inconsistency in taint flag of program name:

[jrusnack@dhcp-31-42 ruby-safe]$ cat tainted.rb
#!/usr/bin/env ruby
puts "$0:            #{$0}, tainted? #{$0.tainted?}"
puts "__FILE__:      #{__FILE__}, tainted? #{__FILE__.tainted?}"
puts "$PROGRAM_NAME: #{$PROGRAM_NAME}, tainted? #{$PROGRAM_NAME.tainted?}"

[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.8.7
Using /home/jrusnack/.rvm/gems/ruby-1.8.7-p374

[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0:            ./tainted.rb, tainted? true
__FILE__:      ./tainted.rb, tainted? false
$PROGRAM_NAME: ./tainted.rb, tainted? true

[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.9.3
Using /home/jrusnack/.rvm/gems/ruby-1.9.3-p484

[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0:            ./tainted.rb, tainted? false
__FILE__:      ./tainted.rb, tainted? true
$PROGRAM_NAME: ./tainted.rb, tainted? false

[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 2.0.0
Using /home/jrusnack/.rvm/gems/ruby-2.0.0-p353

[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0:            ./tainted.rb, tainted? false
__FILE__:      ./tainted.rb, tainted? true
$PROGRAM_NAME: ./tainted.rb, tainted? false




-- 
https://bugs.ruby-lang.org/