Gsub $B$G(B taint $B$K$J$k(B

Ruby Development
1

e$B$H$_$?$G$9!#e(B

1.8.5 e$B$G!"e(Buntaint e$B$7$?J8;zNs$KBP$7$Fe(B gsub e$B$9$k$He(B taint
e$B$K$J$C$F$7$^$$e(B
e$B$^$9!#e(B

hoge = “abcdefg”
hoge.taint
hoge =~ /[a-z]/
hoge.untaint
p hoge.tainted? # => false
hoge.gsub!(/^[a-z]/) {|s| s}
p hoge.tainted? # => true

3e$B9TL$N!Ve(Bhoge =~ /[a-z]/e$B!W$r%3%a%s%H%"%&%H$9$k$H!":G8e$Ne(B
tainted? e$B$be(B
false e$B$K$J$j$^$9!#e(B

e$B%=!<%9$rDI$$$+$1$F$_$?$N$G$9$,!"e(Brb_str_new4() e$B$Ne(B

if (FL_TEST(orig, ELTS_SHARED) && (str = RSTRING(orig)->aux.shared)

&& klass == RBASIC(str)->klass) {

e$B$G!“e(BRSTRING(orig)->aux.shared e$B$,e(B tainted
e$B$J$?$a$K!”@8@.$5$l$ke(B String
e$B%*%V%8%’%/%H$be(B tainted e$B$K$J$C$F$$$k$h$&$G$9!#e(B

e$B$I$N$h$&$K=$@5$9$l$P$h$$$N$+$^$G$O!"$o$+$j$^$;$s$G$7$?!#e(B

2

e$B$J$+$@$G$9!#e(B

At Thu, 19 Oct 2006 15:38:53 +0900,
e$B$H$_$?$^$5$R$me(B wrote in [ruby-dev:29672]:

1.8.5 e$B$G!"e(Buntaint e$B$7$?J8;zNs$KBP$7$Fe(B gsub e$B$9$k$He(B taint e$B$K$J$C$F$7$^$$e(B
e$B$^$9!#e(B

[ruby-core:09152]e$B$HF1$8$C$]$$5$$,$7$^$9$,!"e(B[ruby-core:09219]e$B$G$I$&$G$7$ge(B
e$B$&$+!#e(B

3

e$B$H$_$?$G$9!#e(B

On Thu, 19 Oct 2006 17:24:25 +0900
“Nobuyoshi N.” [email protected] wrote:

1.8.5 e$B$G!"e(Buntaint e$B$7$?J8;zNs$KBP$7$Fe(B gsub e$B$9$k$He(B taint e$B$K$J$C$F$7$^$$e(B
e$B$^$9!#e(B

[ruby-core:09152]e$B$HF1$8$C$]$$5$$,$7$^$9$,!"e(B[ruby-core:09219]e$B$G$I$&$G$7$ge(B
e$B$&$+!#e(B

[ruby-core:09219] e$B$Oe(B 1.8.5
e$B$K$O$=$N$^$^$G$OE,MQ$G$-$J$+$C$?$N$G!"8+$he(B
e$B$&8+$^$M$G<!$N$h$&$KJQ99$7$F$_$^$7$?$,!"7k2L$O$+$o$j$^$;$s$G$7$?!#e(B

— string.c.orig 2006-07-31 15:34:10.000000000 +0900
+++ string.c 2006-10-19 18:10:44.000000000 +0900
@@ -146,7 +146,6 @@
RSTRING(str2)->ptr = RSTRING(str)->ptr;
RSTRING(str2)->aux.shared = str;
FL_SET(str2, ELTS_SHARED);

  • OBJ_INFECT(str2, str);

    return str2;
    }
    @@ -155,7 +154,10 @@
    rb_str_new3(str)
    VALUE str;
    {

  • return str_new3(rb_obj_class(str), str);

  • VALUE str2 = str_new3(rb_obj_class(str), str);
  • OBJ_INFECT(str2, str);
  • return str2;
    }

static VALUE
@@ -610,7 +612,8 @@
}
else if (len > sizeof(struct RString)/2 &&
beg + len == RSTRING(str)->len && !FL_TEST(str, STR_ASSOC)) {

  •   str2 = rb_str_new3(rb_str_new4(str));

  •    str2 = rb_str_new4(str);

  •    str2 = str_new3(rb_obj_class(str2), str);
  RSTRING(str2)->ptr += RSTRING(str2)->len - len;
  RSTRING(str2)->len = len;
    }
4

e$B$J$+$@$G$9!#e(B

At Thu, 19 Oct 2006 18:28:19 +0900,
e$B$H$_$?$^$5$R$me(B[email protected] wrote in [ruby-dev:29674]:

[ruby-core:09219] e$B$Oe(B 1.8.5 e$B$K$O$=$N$^$^$G$OE,MQ$G$-$J$+$C$?$N$G!"8+$he(B
e$B$&8+$^$M$G<!$N$h$&$KJQ99$7$F$_$^$7$?$,!"7k2L$O$+$o$j$^$;$s$G$7$?!#e(B

e$B$$$^$$$A5$$KF~$i$J$$$s$G$9$,!"$3$&$+$J!#e(B

Index: string.c

RCS file: /pub/cvs/ruby/string.c,v
retrieving revision 1.182.2.53
diff -U 2 -p -u -r1.182.2.53 string.c
— string.c 7 Oct 2006 15:55:00 -0000 1.182.2.53
+++ string.c 19 Oct 2006 11:14:04 -0000
@@ -147,5 +147,4 @@ str_new3(klass, str)
RSTRING(str2)->aux.shared = str;
FL_SET(str2, ELTS_SHARED);

  • OBJ_INFECT(str2, str);

    return str2;
    @@ -156,5 +155,8 @@ rb_str_new3(str)
    VALUE str;
    {

  • return str_new3(rb_obj_class(str), str);

  • VALUE str2 = str_new3(rb_obj_class(str), str);
  • OBJ_INFECT(str2, str);
  • return str2;
    }

@@ -190,5 +192,5 @@ rb_str_new4(orig)
long ofs;
ofs = RSTRING(str)->len - RSTRING(orig)->len;

  • if (ofs > 0) {
  • if ((ofs > 0) || (!OBJ_TAINTED(str) && OBJ_TAINTED(orig))) {
    str = str_new3(klass, str);
    RSTRING(str)->ptr += ofs;
    @@ -611,5 +613,6 @@ rb_str_substr(str, beg, len)
    else if (len > sizeof(struct RString)/2 &&
    beg + len == RSTRING(str)->len && !FL_TEST(str, STR_ASSOC)) {
  • str2 = rb_str_new3(rb_str_new4(str));
  • str2 = rb_str_new4(str);
  • str2 = str_new3(rb_obj_class(str2), str2);
    RSTRING(str2)->ptr += RSTRING(str2)->len - len;
    RSTRING(str2)->len = len;
5

e$B$^$D$b$He(B e$B$f$-$R$m$G$9e(B

In message “Re: [ruby-dev:29675] Re: gsub e$B$Ge(B taint e$B$K$J$ke(B”
on Thu, 19 Oct 2006 20:25:18 +0900, “Nobuyoshi N.”
[email protected] writes:

|At Thu, 19 Oct 2006 18:28:19 +0900,
|e$B$H$$?$^$5$R$me(B[email protected] wrote in [ruby-dev:29674]:
|> [ruby-core:09219] e$B$Oe(B 1.8.5 e$B$K$O$=$N$^$^$G$OE,MQ$G$-$J$+$C$?$N$G!"8+$he(B
|> e$B$&8+$^$M$G<!$N$h$&$KJQ99$7$F$$^$7$?$,!“7k2L$O$+$o$j$^$;$s$G$7$?!#e(B
|
|e$B$$$^$$$A5$$KF~$i$J$$$s$G$9$,!”$3$&$+$J!#e(B

e$B%3%_%C%H$7$F$/$@$5$$!#e(B

6

e$B$H$_$?$G$9!#e(B

On Thu, 19 Oct 2006 20:25:18 +0900
“Nobuyoshi N.” [email protected] wrote:

[ruby-core:09219] e$B$Oe(B 1.8.5 e$B$K$O$=$N$^$^$G$OE,MQ$G$-$J$+$C$?$N$G!"8+$he(B
e$B$&8+$^$M$G<!$N$h$&$KJQ99$7$F$_$^$7$?$,!"7k2L$O$+$o$j$^$;$s$G$7$?!#e(B

e$B$$$^$$$A5$$KF~$i$J$$$s$G$9$,!"$3$&$+$J!#e(B

e$B$A$c$s$H4|BT$I$*$j$KF0:n$9$k$h$&$K$J$j$^$7$?!#e(B