Bug #9588: program name variables tainted - Ruby master - Ruby Issue Tracking System

Bug #9588

Updated by nobu (Nobuyoshi Nakada) over 4 years ago

I have noticed inconsistency in taint flag of program name: 

 ``` 
 [jrusnack@dhcp-31-42 ruby-safe]$ cat tainted.rb 
 #!/usr/bin/env ruby 
 puts "$0:              #{$0}, tainted? #{$0.tainted?}" 
 puts "__FILE__:        #{__FILE__}, tainted? #{__FILE__.tainted?}" 
 puts "$PROGRAM_NAME: #{$PROGRAM_NAME}, tainted? #{$PROGRAM_NAME.tainted?}" 

 [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.8.7 
 Using /home/jrusnack/.rvm/gems/ruby-1.8.7-p374 

 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb 
 $0:              ./tainted.rb, tainted? true 
 __FILE__:        ./tainted.rb, tainted? false 
 $PROGRAM_NAME: ./tainted.rb, tainted? true 

 [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 1.9.3 
 Using /home/jrusnack/.rvm/gems/ruby-1.9.3-p484 

 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb 
 $0:              ./tainted.rb, tainted? false 
 __FILE__:        ./tainted.rb, tainted? true 
 $PROGRAM_NAME: ./tainted.rb, tainted? false 

 [jrusnack@dhcp-31-42 ruby-safe]$ rvm use 2.0.0 
 Using /home/jrusnack/.rvm/gems/ruby-2.0.0-p353 

 [jrusnack@dhcp-31-42 ruby-safe]$ ./tainted.rb 
 $0:              ./tainted.rb, tainted? false 
 __FILE__:        ./tainted.rb, tainted? true 
 $PROGRAM_NAME: ./tainted.rb, tainted? false 
 ```

Back

Project

General

Profile

Ruby » Ruby master

Bug #9588