Ruby Issue Tracking System

03/30/2018

10:00 PM Ruby Bug #14060 (Open): SecurityError with $SAFE=1 when requiring an untainted path

This bug is now showing up as a regression in version 2.4.4 (it didn't occur in version 2.4.3):
~~~ ruby
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.4p296 (2018-03-28 revision 63013) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> ... philr3 (Phil Ross)

10/26/2017

07:41 PM Ruby Bug #14060 (Closed): SecurityError with $SAFE=1 when requiring an untainted path

Calling `Kernel#require` with `$SAFE=1` on Ruby 2.5.0preview1 results in a `SecurityError` when the path being required is not tainted:
~~~ ruby
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_... philr3 (Phil Ross)