Project

General

Profile

Actions

Bug #8945

closed

Unmarshaling an Array containing a Bignum from a tainted String returns a frozen, tainted Bignum

Added by brixen (Brian Shirai) over 10 years ago. Updated about 10 years ago.

Status:
Closed
Target version:
ruby -v:
ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
[ruby-core:57346]

Description

In 2.1, Symbol, Fixnum, Bignum, and Float (at least) have been changed to frozen by default. Consequently, calling #taint on an instance of those classes raises a RuntimeError because a frozen object cannot be modified to be tainted. However:

sasha:rbx brian$ ruby -v
ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
sasha:rbx brian$ irb
irb(main):001:0> a = 0xffff_ffff_ffff_ffff
=> 18446744073709551615
irb(main):002:0> a.class
=> Bignum
irb(main):003:0> a.frozen?
=> true
irb(main):004:0> a.tainted?
=> false
irb(main):005:0> str = Marshal.dump([a]).taint
=> "\x04\b[\x06l+\t\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
irb(main):006:0> str.tainted?
=> true
irb(main):007:0> aa = Marshal.load(str)
=> [18446744073709551615]
irb(main):008:0> aa.first.class
=> Bignum
irb(main):009:0> aa.first.frozen?
=> true
irb(main):010:0> aa.first.tainted?
=> true
irb(main):011:0>

The behavior above is inconsistent with the results of performing the same operations on instances of Symbol, Fixnum, Float. For example:

irb(main):014:0> :a.frozen?
=> true
irb(main):015:0> :a.tainted?
=> false
irb(main):016:0> str = Marshal.dump([:a]).taint
=> "\x04\b[\x06:\x06a"
irb(main):017:0> aa = Marshal.load(str)
=> [:a]
irb(main):018:0> aa.tainted?
=> true
irb(main):019:0> aa.first.frozen?
=> true
irb(main):020:0> aa.first.tainted?
=> false

Updated by hsbt (Hiroshi SHIBATA) about 10 years ago

  • Target version changed from 2.1.0 to 2.2.0

Updated by nobu (Nobuyoshi Nakada) about 10 years ago

  • Category set to core
  • Status changed from Open to Assigned
  • Assignee set to matz (Yukihiro Matsumoto)

As Bignum instances are frozen now, it feels reasonable that they never be tainted, IMO.

Updated by matz (Yukihiro Matsumoto) about 10 years ago

Agreed. It should be consistent here.

Matz.

Updated by nobu (Nobuyoshi Nakada) about 10 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r44891.


marshal.c: Numerics are not tainted

  • include/ruby/ruby.h (OBJ_TAINTABLE, OBJ_TAINT, OBJ_INFECT),
    marshal.c (r_entry0): all Numerics never be tainted now.
    [ruby-core:57346] [Bug #8945]

Updated by usa (Usaku NAKAMURA) about 10 years ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: REJECTED, 2.0.0: UNKNOWN

IMO this is a feature change, although it is close to a bug infinite.
So, I decided this not to backport into 1.9.3.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0