Project

General

Profile

Actions
Copy link
Like0

Bug #5508

closed

Is BigDecimal really not $SAFE?

Added by angdraug (Dmitry Borodaenko) over 13 years ago. Updated over 12 years ago.

Status:
Closed
Assignee:
mrkn (Kenta Murata)
Target version:
2.0.0
ruby -v:
ruby 1.9.3dev (2011-09-23 revision 33323) [x86_64-linux]
Backport:
[ruby-core:40510]

Description

Why does BigDecimal call SafeStringValue?

irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
from (irb):1:in new' from (irb):1 from /usr/bin/irb:12:in '

Compare with:

irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
=> 1
irb(main):002:0> i.tainted?
=> false

I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().

#1 [ruby-core:40598]

Updated by mrkn (Kenta Murata) over 13 years ago

  • Assignee set to mrkn (Kenta Murata)
  • Target version set to 2.0.0
#2

Updated by shyouhei (Shyouhei Urabe) about 13 years ago

  • Status changed from Open to Assigned
#3

Updated by mrkn (Kenta Murata) over 12 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions
Copy link
Like0

Also available in: Atom PDF