Project

General

Profile

Actions

Bug #2223

closed

lib/delegate: security model?

Added by marcandre (Marc-Andre Lafortune) over 14 years ago. Updated almost 13 years ago.

Status:
Closed
Target version:
ruby -v:
ruby 1.9.2dev (2009-10-17 trunk 25379) [x86_64-darwin10.0.0]
Backport:
[ruby-core:26138]

Description

=begin
Take the following code:

require 'delegate'
cat = "cat"
dog = SimpleDelegator.new("dog")

cat.untrust
dog.untrust

lambda {$SAFE = 4; cat.upcase!}.call # ==> "CAT"
lambda {$SAFE = 4; dog.upcase!}.call # ==> Security Error

Is that expected?

Maybe #trust, #untrust, #taint and #untaint should both call 'super' and forward the call to getobj?

I'm even less sure as to what to do with #tainted? and #untrusted? for mixed cases (i.e. when self and getobj have different taintedness/trust). Disallow these cases? return "super || getobj.tainted?" ?
=end

Actions #1

Updated by mame (Yusuke Endoh) almost 14 years ago

  • Assignee set to marcandre (Marc-Andre Lafortune)
  • Target version set to 1.9.2

=begin
Hi,

Could you create and send a patch?
If rubyspec and make check passes, and if there is no objection,
please commit it by yourself.

You can handle #2224 and #2496 in a similar way. You have control.

--
Yusuke Endoh
=end

Actions #2

Updated by mame (Yusuke Endoh) almost 14 years ago

=begin
Hi, Marc-andre

What's the status? Or should I do it myself?

Could you create and send a patch?
If rubyspec and make check passes, and if there is no objection,
please commit it by yourself.

You can handle #2224 and #2496 in a similar way. You have control.

--
Yusuke Endoh
=end

Actions #3

Updated by marcandre (Marc-Andre Lafortune) almost 14 years ago

=begin
Hi!

I've had very few spare time last month, sorry, but I'll close the few issues assigned to me soon (definitely in time for the release candidate)

Thanks!

Marc-André
=end

Actions #4

Updated by marcandre (Marc-Andre Lafortune) over 13 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

=begin
This issue was solved with changeset r28376.
Marc-Andre, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

=end

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0