Project

General

Profile

Actions
Copy link

Bug #9588

closed

program name variables tainted

Added by jrusnack (Jan Rusnacko) over 10 years ago. Updated about 5 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
1.8.7, 1.9.3, 2.0.0
Backport:
[ruby-core:61250]

Description

I have noticed inconsistency in taint flag of program name:

[jrusnack@dhcp-31-42 ruby-safe]$ cat tainted.rb
#!/usr/bin/env ruby
puts "$0:            #{$0}, tainted? #{$0.tainted?}"
puts "__FILE__:      #{__FILE__}, tainted? #{__FILE__.tainted?}"
puts "$PROGRAM_NAME: #{$PROGRAM_NAME}, tainted? #{$PROGRAM_NAME.tainted?}"

[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.8.7
Using /home/jrusnack/.rvm/gems/ruby-1.8.7-p374

[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0:            ./tainted.rb, tainted? true
__FILE__:      ./tainted.rb, tainted? false
$PROGRAM_NAME: ./tainted.rb, tainted? true

[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.9.3
Using /home/jrusnack/.rvm/gems/ruby-1.9.3-p484

[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0:            ./tainted.rb, tainted? false
__FILE__:      ./tainted.rb, tainted? true
$PROGRAM_NAME: ./tainted.rb, tainted? false

[jrusnack@dhcp-31-42 ruby-safe]$ rvm use 2.0.0
Using /home/jrusnack/.rvm/gems/ruby-2.0.0-p353

[jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb
$0:            ./tainted.rb, tainted? false
__FILE__:      ./tainted.rb, tainted? true
$PROGRAM_NAME: ./tainted.rb, tainted? false

Related issues 1 (0 open1 closed)

Related to Ruby master - Feature #16131: Remove $SAFE, taint and trustClosedActions
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0