Actions
Bug #9588
closedprogram name variables tainted
Bug #9588:
program name variables tainted
Description
I have noticed inconsistency in taint flag of program name:
[jrusnack@dhcp-31-42 ruby-safe]$ cat tainted.rb
#!/usr/bin/env ruby
puts "$0: #{$0}, tainted? #{$0.tainted?}"
puts "__FILE__: #{__FILE__}, tainted? #{__FILE__.tainted?}"
puts "$PROGRAM_NAME: #{$PROGRAM_NAME}, tainted? #{$PROGRAM_NAME.tainted?}"
[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.8.7
Using /home/jrusnack/.rvm/gems/ruby-1.8.7-p374
[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0: ./tainted.rb, tainted? true
__FILE__: ./tainted.rb, tainted? false
$PROGRAM_NAME: ./tainted.rb, tainted? true
[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.9.3
Using /home/jrusnack/.rvm/gems/ruby-1.9.3-p484
[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0: ./tainted.rb, tainted? false
__FILE__: ./tainted.rb, tainted? true
$PROGRAM_NAME: ./tainted.rb, tainted? false
[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 2.0.0
Using /home/jrusnack/.rvm/gems/ruby-2.0.0-p353
[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0: ./tainted.rb, tainted? false
__FILE__: ./tainted.rb, tainted? true
$PROGRAM_NAME: ./tainted.rb, tainted? false
Updated by shugo (Shugo Maeda) over 12 years ago
Updated by shyouhei (Shyouhei Urabe) over 12 years ago
My expectation to tainted.rb output is what 1.8.7 outputs. This seems like a regression to me.
Updated by jeremyevans0 (Jeremy Evans) almost 7 years ago
- Backport deleted (
1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN)
It looks like $0, __FILE__, and $PROGRAM_NAME have been not tainted since 2.1. I'm not sure if this is still considered a bug or not.
Updated by nobu (Nobuyoshi Nakada) almost 7 years ago
- Description updated (diff)
Updated by ko1 (Koichi Sasada) almost 7 years ago
- Related to Feature #16131: Remove $SAFE, taint and trust added
Updated by jeremyevans0 (Jeremy Evans) over 6 years ago
- Status changed from Open to Closed
As tainting will be removed from Ruby 2.7, this can be closed.
Actions