Project

General

Profile

Bug #884

Insecure operation: -r

Added by znz (Kazuhiro NISHIYAMA) over 10 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
Backport:
[ruby-dev:37446]

Description

=begin
以下のようにするとエラーメッセージの中に謎の-rが出てきます。

% ruby-trunk -ve '$SAFE=4;open("")'
ruby 1.9.1 (2008-12-14 revision 20736) [i686-linux]
-e:1:in open': Insecure operation: -r (SecurityError)
from -e:1:in
'
%
=end

Associated revisions

Revision aebfdbee
Added by ko1 (Koichi Sasada) over 10 years ago

  • eval.c (rb_frame_callee, rb_frame_caller): rb_frame_callee() should return method id on current frame. add rb_frame_caller() to get method id on parent frame. Bug #884 [ruby-dev:37446]
  • eval.c (rb_f_method_name): use rb_frame_caller() instead of rb_frame_callee().

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@21093 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 21093
Added by ko1 (Koichi Sasada) over 10 years ago

  • eval.c (rb_frame_callee, rb_frame_caller): rb_frame_callee() should return method id on current frame. add rb_frame_caller() to get method id on parent frame. Bug #884 [ruby-dev:37446]
  • eval.c (rb_f_method_name): use rb_frame_caller() instead of rb_frame_callee().

Revision 21093
Added by ko1 (Koichi Sasada) over 10 years ago

  • eval.c (rb_frame_callee, rb_frame_caller): rb_frame_callee() should return method id on current frame. add rb_frame_caller() to get method id on parent frame. Bug #884 [ruby-dev:37446]
  • eval.c (rb_f_method_name): use rb_frame_caller() instead of rb_frame_callee().

Revision 21093
Added by ko1 (Koichi Sasada) over 10 years ago

  • eval.c (rb_frame_callee, rb_frame_caller): rb_frame_callee() should return method id on current frame. add rb_frame_caller() to get method id on parent frame. Bug #884 [ruby-dev:37446]
  • eval.c (rb_f_method_name): use rb_frame_caller() instead of rb_frame_callee().

Revision 21093
Added by ko1 (Koichi Sasada) over 10 years ago

  • eval.c (rb_frame_callee, rb_frame_caller): rb_frame_callee() should return method id on current frame. add rb_frame_caller() to get method id on parent frame. Bug #884 [ruby-dev:37446]
  • eval.c (rb_f_method_name): use rb_frame_caller() instead of rb_frame_callee().

Revision 21093
Added by ko1 (Koichi Sasada) over 10 years ago

  • eval.c (rb_frame_callee, rb_frame_caller): rb_frame_callee() should return method id on current frame. add rb_frame_caller() to get method id on parent frame. Bug #884 [ruby-dev:37446]
  • eval.c (rb_f_method_name): use rb_frame_caller() instead of rb_frame_callee().

Revision 21093
Added by ko1 (Koichi Sasada) over 10 years ago

  • eval.c (rb_frame_callee, rb_frame_caller): rb_frame_callee() should return method id on current frame. add rb_frame_caller() to get method id on parent frame. Bug #884 [ruby-dev:37446]
  • eval.c (rb_f_method_name): use rb_frame_caller() instead of rb_frame_callee().

Revision c7239a7e
Added by yugui (Yuki Sonoda) over 10 years ago

merges r21093 from trunk into ruby_1_9_1.

  • eval.c (rb_frame_callee, rb_frame_caller): rb_frame_callee() should return method id on current frame. add rb_frame_caller() to get method id on parent frame. Bug #884 [ruby-dev:37446]
  • eval.c (rb_f_method_name): use rb_frame_caller() instead of rb_frame_callee().

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_1@21123 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

History

#1

Updated by matz (Yukihiro Matsumoto) over 10 years ago

  • Assignee set to ko1 (Koichi Sasada)

=begin

=end

#2

Updated by matz (Yukihiro Matsumoto) over 10 years ago

=begin
まつもと ゆきひろです

In message "Re: [ruby-dev:37446] [Bug #884] Insecure operation: -r"
on Mon, 15 Dec 2008 19:58:41 +0900, Kazuhiro NISHIYAMA redmine@ruby-lang.org writes:

|以下のようにするとエラーメッセージの中に謎の-rが出てきます。
|
|% ruby-trunk -ve '$SAFE=4;open("")'
|ruby 1.9.1 (2008-12-14 revision 20736) [i686-linux]
|-e:1:in open': Insecure operation: -r (SecurityError)
| from -e:1:in
'
|%

メソッド(open)の中でrb_check_safe_obj()が呼ばれてエラーになっ
た時、そのメソッドがトップレベルで呼ばれた場合、
rb_frame_callee()がNULLであるため、-rで発生したエラーと勘違
いするせいのようです。

rb_check_safe_obj()では、トップレベルで呼ばれたメソッドと、
実行環境が発生する前(-r)を区別する必要がありそうです。どうやっ
て区別できるのかちょっと調べてみますね。

=end

#3

Updated by ko1 (Koichi Sasada) over 10 years ago

=begin
 ささだです.

Yukihiro Matsumoto wrote::

|以下のようにするとエラーメッセージの中に謎の-rが出てきます。
|
|% ruby-trunk -ve '$SAFE=4;open("")'
|ruby 1.9.1 (2008-12-14 revision 20736) [i686-linux]
|-e:1:in open': Insecure operation: -r (SecurityError)
| from -e:1:in
'
|%

メソッド(open)の中でrb_check_safe_obj()が呼ばれてエラーになっ
た時、そのメソッドがトップレベルで呼ばれた場合、
rb_frame_callee()がNULLであるため、-rで発生したエラーと勘違
いするせいのようです。

rb_check_safe_obj()では、トップレベルで呼ばれたメソッドと、
実行環境が発生する前(-r)を区別する必要がありそうです。どうやっ
て区別できるのかちょっと調べてみますね。

 そもそも,rb_frame_callee() が caller を見るのが良くないですね.
rb_f_method_name() の名前に引っ張られて,本来 rb_frame_caller() といった
名前にするところを rb_frame_callee() という名前にしているのが良くない.

 というわけで,こんなパッチを書いてみましたがどうでしょうか.

Index: eval.c
===================================================================
--- eval.c (リビジョン 20968)
+++ eval.c (作業コピー)
@@ -750,6 +750,12 @@ rb_frame_this_func(void)
ID
rb_frame_callee(void)
{

  • return frame_func_id(GET_THREAD()->cfp); +} + +static ID +rb_frame_caller(void) +{ rb_thread_t th = GET_THREAD(); rb_control_frame_t *prev_cfp = RUBY_VM_PREVIOUS_CONTROL_FRAME(th->cfp); / check if prev_cfp can be accessible */ @@ -1105,7 +1111,7 @@ rb_f_local_variables(void) static VALUE rb_f_method_name(void) {
  • ID fname = rb_frame_callee();
  • ID fname = rb_frame_caller(); /* need caller ID */

    if (fname) {
    return ID2SYM(fname);

--
// SASADA Koichi at atdot dot net

=end

#4

Updated by ko1 (Koichi Sasada) over 10 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

=begin
Applied in changeset r21093.
=end

Also available in: Atom PDF