Bug #5508: Is BigDecimal really not $SAFE? - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #5508

closed

Is BigDecimal really not $SAFE?

Added by angdraug (Dmitry Borodaenko) about 13 years ago. Updated almost 12 years ago.

Status:

Closed

Assignee:

mrkn (Kenta Murata)

Target version:

2.0.0

ruby -v:

ruby 1.9.3dev (2011-09-23 revision 33323) [x86_64-linux]

Backport:

[ruby-core:40510]

Description

Why does BigDecimal call SafeStringValue?

irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
from (irb):1:in new' from (irb):1 from /usr/bin/irb:12:in '

Compare with:

irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
=> 1
irb(main):002:0> i.tainted?
=> false

I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #5508

Is BigDecimal really not $SAFE?

Updated by mrkn (Kenta Murata) about 13 years ago

Updated by shyouhei (Shyouhei Urabe) over 12 years ago

Updated by mrkn (Kenta Murata) almost 12 years ago