Is BigDecimal really not $SAFE?
Why does BigDecimal call SafeStringValue?
irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().
- ext/bigdecimal/bigdecimal.c (BigDecimal_new): stop checking string taintness. [Bug #5508]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38147 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
#3 Updated by mrkn (Kenta Murata) over 5 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100