Issue #7325 has been reported by urielka (Uriel Katz). ---------------------------------------- Bug #7325: Marshal#load taints classes if they are referenced in a marsheled object https://bugs.ruby-lang.org/issues/7325 Author: urielka (Uriel Katz) Status: Open Priority: Normal Assignee: Category: Target version: ruby -v: ruby 1.9.3p327 (2012-11-10 revision 37606) [x86_64-linux] =begin = Reproducing steps: ruby taint.rb = Output of this script in my computer running 1.9.3-p327: Before marshal is tainted?: false After marshal is tainted?: true Safe level when calling tainted method using call: 4 Safe level when calling tainted method directly: 0 = Expected: MyObject#test shouldn't be tainted as it was defined in my own source and what was saved into the file is just a reference to MyObject class ("\u0004\bc\rMyObject") = Actual: MyObject#test is tainted and calling it using Method#call will make it run in safe-level 4. = Some background on how I got to this issue: I wrote some RPC code that accepts a class and method name and does the invocation,the way I call the method is getting the method from the instance using something like: "cls_instance.method(method_name).call" I used Rails.cache with FileStore (which uses Marshal#load from file) to cache a object that had references to classes. After reading from the cache all other requests saw the classes as tainted and when calling the methods they ran at $SAFE=4 which caused it to fail (even puts doesn't work at that level :) This issue also made me understand that there is 2 potential bugs in Rails. =end
[ruby-trunk - Bug #7325][Open] Marshal#load taints classes if they are referenced in a marsheled obj
on 2012-11-10 14:02
[ruby-trunk - Bug #7325][Assigned] Marshal#load taints classes if they are referenced in a marsheled
on 2012-11-25 04:11
Issue #7325 has been updated by mame (Yusuke Endoh). Status changed from Open to Assigned Assignee set to shugo (Shugo Maeda) Target version set to 2.0.0 Summarized: p Integer.tainted? #=> false Marshal.load(Marshal.dump(Integer).taint) p Integer.tainted? #=> expected: false, actual: true Indeed, it looks weird. Shugo-san, what do you think? -- Yusuke Endoh <mame@tsg.ne.jp> ---------------------------------------- Bug #7325: Marshal#load taints classes if they are referenced in a marsheled object https://bugs.ruby-lang.org/issues/7325#change-33844 Author: urielka (Uriel Katz) Status: Assigned Priority: Normal Assignee: shugo (Shugo Maeda) Category: Target version: 2.0.0 ruby -v: ruby 1.9.3p327 (2012-11-10 revision 37606) [x86_64-linux] =begin = Reproducing steps: ruby taint.rb = Output of this script in my computer running 1.9.3-p327: Before marshal is tainted?: false After marshal is tainted?: true Safe level when calling tainted method using call: 4 Safe level when calling tainted method directly: 0 = Expected: MyObject#test shouldn't be tainted as it was defined in my own source and what was saved into the file is just a reference to MyObject class ("\u0004\bc\rMyObject") = Actual: MyObject#test is tainted and calling it using Method#call will make it run in safe-level 4. = Some background on how I got to this issue: I wrote some RPC code that accepts a class and method name and does the invocation,the way I call the method is getting the method from the instance using something like: "cls_instance.method(method_name).call" I used Rails.cache with FileStore (which uses Marshal#load from file) to cache a object that had references to classes. After reading from the cache all other requests saw the classes as tainted and when calling the methods they ran at $SAFE=4 which caused it to fail (even puts doesn't work at that level :) This issue also made me understand that there is 2 potential bugs in Rails. =end
[Backport93 - Backport #7325] Marshal#load taints classes if they are referenced in a marsheled obje
on 2012-12-14 09:36
Issue #7325 has been updated by usa (Usaku NAKAMURA). memo: r38357 is also related. ---------------------------------------- Backport #7325: Marshal#load taints classes if they are referenced in a marsheled object https://bugs.ruby-lang.org/issues/7325#change-34737 Author: urielka (Uriel Katz) Status: Assigned Priority: Normal Assignee: usa (Usaku NAKAMURA) Category: Target version: =begin = Reproducing steps: ruby taint.rb = Output of this script in my computer running 1.9.3-p327: Before marshal is tainted?: false After marshal is tainted?: true Safe level when calling tainted method using call: 4 Safe level when calling tainted method directly: 0 = Expected: MyObject#test shouldn't be tainted as it was defined in my own source and what was saved into the file is just a reference to MyObject class ("\u0004\bc\rMyObject") = Actual: MyObject#test is tainted and calling it using Method#call will make it run in safe-level 4. = Some background on how I got to this issue: I wrote some RPC code that accepts a class and method name and does the invocation,the way I call the method is getting the method from the instance using something like: "cls_instance.method(method_name).call" I used Rails.cache with FileStore (which uses Marshal#load from file) to cache a object that had references to classes. After reading from the cache all other requests saw the classes as tainted and when calling the methods they ran at $SAFE=4 which caused it to fail (even puts doesn't work at that level :) This issue also made me understand that there is 2 potential bugs in Rails. =end
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.