Project

General

Profile

Bug #2223

lib/delegate: security model?

Added by marcandre (Marc-Andre Lafortune) over 9 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Target version:
ruby -v:
ruby 1.9.2dev (2009-10-17 trunk 25379) [x86_64-darwin10.0.0]
Backport:
[ruby-core:26138]

Description

=begin
Take the following code:

require 'delegate'
cat = "cat"
dog = SimpleDelegator.new("dog")

cat.untrust
dog.untrust

lambda {$SAFE = 4; cat.upcase!}.call # ==> "CAT"
lambda {$SAFE = 4; dog.upcase!}.call # ==> Security Error

Is that expected?

Maybe #trust, #untrust, #taint and #untaint should both call 'super' and forward the call to getobj?

I'm even less sure as to what to do with #tainted? and #untrusted? for mixed cases (i.e. when self and getobj have different taintedness/trust). Disallow these cases? return "super || getobj.tainted?" ?
=end

History

#1

Updated by mame (Yusuke Endoh) about 9 years ago

  • Assignee set to marcandre (Marc-Andre Lafortune)
  • Target version set to 1.9.2

=begin
Hi,

Could you create and send a patch?
If rubyspec and make check passes, and if there is no objection,
please commit it by yourself.

You can handle #2224 and #2496 in a similar way. You have control.

--
Yusuke Endoh mame@tsg.ne.jp
=end

#2

Updated by mame (Yusuke Endoh) about 9 years ago

=begin
Hi, Marc-andre

What's the status? Or should I do it myself?

Could you create and send a patch?
If rubyspec and make check passes, and if there is no objection,
please commit it by yourself.

You can handle #2224 and #2496 in a similar way. You have control.

--
Yusuke Endoh mame@tsg.ne.jp
=end

#3

Updated by marcandre (Marc-Andre Lafortune) about 9 years ago

=begin
Hi!

I've had very few spare time last month, sorry, but I'll close the few issues assigned to me soon (definitely in time for the release candidate)

Thanks!
--
Marc-André
=end

#4

Updated by marcandre (Marc-Andre Lafortune) almost 9 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

=begin
This issue was solved with changeset r28376.
Marc-Andre, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

=end

Also available in: Atom PDF