Project

General

Profile

Bug #5508

Is BigDecimal really not $SAFE?

Added by angdraug (Dmitry Borodaenko) almost 6 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
ruby -v:
ruby 1.9.3dev (2011-09-23 revision 33323) [x86_64-linux]
[ruby-core:40510]

Description

Why does BigDecimal call SafeStringValue?

irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
from (irb):1:in new'
from (irb):1
from /usr/bin/irb:12:in
'

Compare with:

irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
=> 1
irb(main):002:0> i.tainted?
=> false

I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().

Associated revisions

Revision 38147
Added by mrkn (Kenta Murata) almost 5 years ago

  • ext/bigdecimal/bigdecimal.c (BigDecimal_new): stop checking string taintness. [Bug #5508]

Revision 38147
Added by mrkn (Kenta Murata) almost 5 years ago

  • ext/bigdecimal/bigdecimal.c (BigDecimal_new): stop checking string taintness. [Bug #5508]

Revision 38147
Added by mrkn (Kenta Murata) almost 5 years ago

  • ext/bigdecimal/bigdecimal.c (BigDecimal_new): stop checking string taintness. [Bug #5508]

Revision 38147
Added by mrkn (Kenta Murata) almost 5 years ago

  • ext/bigdecimal/bigdecimal.c (BigDecimal_new): stop checking string taintness. [Bug #5508]

History

#1 [ruby-core:40598] Updated by mrkn (Kenta Murata) almost 6 years ago

  • Assignee set to mrkn (Kenta Murata)
  • Target version set to 2.0.0

#2 Updated by shyouhei (Shyouhei Urabe) over 5 years ago

  • Status changed from Open to Assigned

#3 Updated by mrkn (Kenta Murata) almost 5 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r38147.
Dmitry, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/bigdecimal/bigdecimal.c (BigDecimal_new): stop checking string taintness. [Bug #5508]

Also available in: Atom PDF