From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 9542E1F4C0 for ; Sun, 13 Oct 2019 17:19:18 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 64A6A120939; Mon, 14 Oct 2019 02:19:10 +0900 (JST) Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id E2516120936 for ; Mon, 14 Oct 2019 02:19:08 +0900 (JST) Received: by filter0188p3mdw1.sendgrid.net with SMTP id filter0188p3mdw1-630-5DA35C8D-36 2019-10-13 17:19:09.728250398 +0000 UTC m=+328042.770591267 Received: from herokuapp.com (unknown [3.93.220.99]) by ismtpd0077p1iad2.sendgrid.net (SG) with ESMTP id STrodEBuSFaZvqc5FPrCkw for ; Sun, 13 Oct 2019 17:19:09.589 +0000 (UTC) Date: Sun, 13 Oct 2019 17:19:09 +0000 (UTC) From: merch-redmine@jeremyevans.net Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 70901 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 9588 X-Redmine-Issue-Author: jrusnack X-Redmine-Sender: jeremyevans0 X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?RVE3t853K5scBhbmJHUzZTFFeVC=2FZSUmHZ0Dc+26wcEi2CTgsF1oz0wTSSxGGN?= =?us-ascii?Q?BIWL6VydqfXP7HUvTfBseOaEpU6+=2FSTb4ecX9Pa?= =?us-ascii?Q?ENGDC2kV6yIzrWuWfDMf2x1bZUBllXowU=2FaX5gh?= =?us-ascii?Q?rt85A26feMOPlAXfbnBUj=2Fi3U2YfqjpbXj72OEc?= =?us-ascii?Q?e3WBcdM98ErqD7=2FPLiYVE16K4pHDflu3NVA=3D=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 95314 Subject: [ruby-core:95314] [Ruby master Bug#9588] program name variables tainted X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #9588 has been updated by jeremyevans0 (Jeremy Evans). Status changed from Open to Closed As tainting will be removed from Ruby 2.7, this can be closed. ---------------------------------------- Bug #9588: program name variables tainted https://bugs.ruby-lang.org/issues/9588#change-82010 * Author: jrusnack (Jan Rusnacko) * Status: Closed * Priority: Normal * Assignee: * Target version: * ruby -v: 1.8.7, 1.9.3, 2.0.0 * Backport: ---------------------------------------- I have noticed inconsistency in taint flag of program name: ``` [jrusnack@dhcp-31-42 ruby-safe]$ cat tainted.rb #!/usr/bin/env ruby puts "$0: #{$0}, tainted? #{$0.tainted?}" puts "__FILE__: #{__FILE__}, tainted? #{__FILE__.tainted?}" puts "$PROGRAM_NAME: #{$PROGRAM_NAME}, tainted? #{$PROGRAM_NAME.tainted?}" [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.8.7 Using /home/jrusnack/.rvm/gems/ruby-1.8.7-p374 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb $0: ./tainted.rb, tainted? true __FILE__: ./tainted.rb, tainted? false $PROGRAM_NAME: ./tainted.rb, tainted? true [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.9.3 Using /home/jrusnack/.rvm/gems/ruby-1.9.3-p484 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb $0: ./tainted.rb, tainted? false __FILE__: ./tainted.rb, tainted? true $PROGRAM_NAME: ./tainted.rb, tainted? false [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 2.0.0 Using /home/jrusnack/.rvm/gems/ruby-2.0.0-p353 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb $0: ./tainted.rb, tainted? false __FILE__: ./tainted.rb, tainted? true $PROGRAM_NAME: ./tainted.rb, tainted? false ``` -- https://bugs.ruby-lang.org/