e$B@>;3OB9-$G$9!#e(B
http://lists.sourceforge.jp/mailman/archives/hiki-dev/2007-March/001150.html
[Hiki-dev:01151] Ruby
1.8.6e$B$Ge(Brss-showe$B$r$&$4$+$9$He(Bsecuritye$B%(%i!<e(B
e$B$H$$$&$N$rD4$Y$F$$$F5$$,$D$$$?$N$G$9$,!"e(B
#!/usr/bin/ruby
require ‘rss’
rss = RSS::Maker.make(“1.0”) do |maker|
maker.channel.about = “http://example.com/index.rdf”
maker.channel.title = “Example”
maker.channel.description = “Example Site”
maker.channel.link = “http://example.com/”
end.to_s
rss.taint
$SAFE = 1
RSS::Parser.parse(rss, false)
e$B$N$h$&$Ke(B$SAFEe$B$,e(B1e$B$+e(B2e$B$N$H$-$K!"e(Btaintede$B$Je(BStringe$B$re(BRSS::Parser.parsee$B$KEO$9$He(B
…/rss/parser.rb:314:in `respond_to?': Insecure: can’t intern tainted
string (SecurityError)
e$B$K$J$j$^$9!#e(B
($SAFEe$B$,e(B3e$B$He(B4e$B$N$H$-$O$=$l$>$lJL$N$H$3$m$Ge(B SecurityError
e$B$K$J$k$1$I!"e(B
e$B$=$l$O$?$V$sLdBj$O$J$$$O$:!#e(B)
e$B860x$H$7$F!"0J2<$N$h$&$KBP1~$9$ke(B Symbol e$B$,$J$$e(B String
e$B$re(B
e$B0z?t$H$7$Fe(B respond_to? e$B$r8F$S=P$9$He(B SecurityError e$B$Ke(B
e$B$J$C$F$$$k$h$&$G$9!#e(B
e$B$3$N$H$-!“e(BSecurityError e$B$K$J$k$J$ie(Brespond_to? e$B$Oe(B false
e$B$Ke(B
e$B$J$k$O$:!”$HM=B,$G$-$F$7$^$&$N$Ge(B SecurityError e$B$G$O$J$/e(B
false e$B$rJV$7$F$b%;%-%e%j%F%#$NLdBj$O$J$$$H;W$&$N$G$9$,!"e(B
e$B$I$&$G$7$g$&$+e(B?
% ruby18 -ve ‘$SAFE=1; respond_to? “to_a”.taint’
ruby 1.8.6 (2007-03-13 patchlevel 5000) [i686-linux]
% ruby18 -ve ‘$SAFE=1; respond_to? “hoge”.taint’
ruby 1.8.6 (2007-03-13 patchlevel 5000) [i686-linux]
-e:1:in `respond_to?': Insecure: can’t intern tainted string
(SecurityError)
from -e:1
% ruby18 -ve ‘def hoge; end; $SAFE=1; respond_to? “hoge”.taint’
ruby 1.8.6 (2007-03-13 patchlevel 5000) [i686-linux]
% ruby18 -ve ‘:hoge; $SAFE=1; respond_to? “hoge”.taint’
ruby 1.8.6 (2007-03-13 patchlevel 5000) [i686-linux]
-e:1: warning: unused literal ignored
%