Project

General

Profile

Actions
Copy link

Bug #9564

closed

Tainted string permitted in Kernel.trap in safe level 1

Bug #9564: Tainted string permitted in Kernel.trap in safe level 1

Added by jrusnack (Jan Rusnacko) over 11 years ago. Updated about 6 years ago.

Status:
Rejected
Assignee:
-
Target version:
-
ruby -v:
all?
Backport:
[ruby-core:61080]

Description

According to the existing documentation (I am referring to Programming Ruby: The
Pragmatic Programmer's Guide at http://ruby-doc.com/docs/ProgrammingRuby/ and
The Ruby Programming Language by Flanagan, Matsumoto) Kernel.trap should not
accept a tainted string if $SAFE >= 1.

However, this is true only for $SAFE >= 2, and tainted signal string is accepted
in safe level 1:

signal = "SIGKILL".taint

Thread.start {
$SAFE = 1

no exception

trap(signal) { puts 'foo'}
}.join

Thread.start {
$SAFE = 2

throws SecurityError

trap(signal) { puts 'foo'}
}.join

Updated by usa (Usaku NAKAMURA) over 11 years ago Actions
Copy link
 #1 [ruby-core:61081]

Since r1827 (at Nov.13,2001), trap checks intentionally whether the block is tainted or not, but never checks the first parameter (signal name).
So, I guess that it's documentations' fault.

Updated by jeremyevans0 (Jeremy Evans) about 6 years ago Actions
Copy link
 #2

  • Status changed from Open to Rejected
  • Backport deleted (1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN)
Actions
Copy link

Also available in: PDF Atom