From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-4.0 required=3.0 tests=AWL,BAYES_00, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 050ED1F463 for ; Sat, 30 Nov 2019 09:27:47 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id F1A981209DD; Sat, 30 Nov 2019 18:27:35 +0900 (JST) Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id D6D041209CE for ; Sat, 30 Nov 2019 18:27:32 +0900 (JST) Received: by filter0107p3las1.sendgrid.net with SMTP id filter0107p3las1-1811-5DE23601-14 2019-11-30 09:27:29.891150223 +0000 UTC m=+898565.316198078 Received: from herokuapp.com (unknown [18.234.240.220]) by ismtpd0065p1iad2.sendgrid.net (SG) with ESMTP id anosQfNURm2KWSkIWfeG_g for ; Sat, 30 Nov 2019 09:27:29.796 +0000 (UTC) Date: Sat, 30 Nov 2019 09:27:29 +0000 (UTC) From: hsbt@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 71676 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 16131 X-Redmine-Issue-Author: naruse X-Redmine-Sender: hsbt X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?9+ToIm+BmphpEzrVEr2fqVDpB0VofQNbgfqsVvtPdY11ZZK+XOleqpTiFoFLrA?= =?us-ascii?Q?iXkquoUD223eHJbgX4khe=2F0ZWWNcMH5UDrtP7h7?= =?us-ascii?Q?bZHA4SMoQ+4CL8PjNQrUlViIycvGogwNPdSigNc?= =?us-ascii?Q?EAVfockWyDqfbNO2foO+qXACvZlGNGUF+U0zne0?= =?us-ascii?Q?9tn19crEWfx8BsmQpAWdiCUGTko5Y09lsDg=3D=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 96036 Subject: [ruby-core:96036] [Ruby master Feature#16131] Remove $SAFE, taint and trust X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #16131 has been updated by hsbt (Hiroshi SHIBATA). I released the new versions: fileutils, webrick, date, dbm, etc, gdbm, stringio, zlib. @kou rexml, rss, fiddle, strscan @nobu io-console Can you release the new versions contained to drop taint support? and Can you import upstream version to ruby-core repository before Ruby 2.7.0-rc1 release. ---------------------------------------- Feature #16131: Remove $SAFE, taint and trust https://bugs.ruby-lang.org/issues/16131#change-82885 * Author: naruse (Yui NARUSE) * Status: Closed * Priority: Normal * Assignee: * Target version: ---------------------------------------- Ruby had Taint checking which is originally introduced in Perl. https://en.wikipedia.org/wiki/Taint_checking It was intended to provide a useful tool for handle objects which are come from outside. Input data is set as tainted by default and call untaint if you checked or filtered the value. Some people used this feature in the age of CGI. But these days, no one use the mechanism and input libraries usually doesn't support it. For example rack, as following shows its input is not tainted and the mechanism is unusable. ``` % cat foo.ru run ->(env) do ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]] end % rackup foo.ru [51724] Puma starting in cluster mode... [51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas [51724] * Min threads: 3, max threads: 3 [51724] * Environment: development [51724] * Process workers: 1 [51724] * Preloading application [51724] * Listening on tcp://localhost:9292 [51724] Use Ctrl-C to stop [51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile [51724] - Worker 0 (pid: 51737) booted, phase: 0 ``` ``` % curl http://localhost:9292/\?foo=1 Is QUERY_STRING tainted?: false ``` Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem. On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism. https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8 The cost of maintaining it is expensive. In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it. I suggest to remove it. -- https://bugs.ruby-lang.org/