Forum: Ruby-core [ruby-trunk - Bug #8945][Open] Unmarshaling an Array containing a Bignum from a tainted String retur

A8e44ce1b57c2689d5a7172d15df42b5?d=identicon&s=25 Brian Ford (brixen)
on 2013-09-24 06:08
(Received via mailing list)
Issue #8945 has been reported by brixen (Brian Shirai).

----------------------------------------
Bug #8945: Unmarshaling an Array containing a Bignum from a tainted
String returns a frozen, tainted Bignum
https://bugs.ruby-lang.org/issues/8945

Author: brixen (Brian Shirai)
Status: Open
Priority: Normal
Assignee:
Category:
Target version: current: 2.1.0
ruby -v: ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


In 2.1, Symbol, Fixnum, Bignum, and Float (at least) have been changed
to frozen by default. Consequently, calling #taint on an instance of
those classes raises a RuntimeError because a frozen object cannot be
modified to be tainted. However:

sasha:rbx brian$ ruby -v
ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
sasha:rbx brian$ irb
irb(main):001:0> a = 0xffff_ffff_ffff_ffff
=> 18446744073709551615
irb(main):002:0> a.class
=> Bignum
irb(main):003:0> a.frozen?
=> true
irb(main):004:0> a.tainted?
=> false
irb(main):005:0> str = Marshal.dump([a]).taint
=> "\x04\b[\x06l+\t\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
irb(main):006:0> str.tainted?
=> true
irb(main):007:0> aa = Marshal.load(str)
=> [18446744073709551615]
irb(main):008:0> aa.first.class
=> Bignum
irb(main):009:0> aa.first.frozen?
=> true
irb(main):010:0> aa.first.tainted?
=> true
irb(main):011:0>

The behavior above is inconsistent with the results of performing the
same operations on instances of Symbol, Fixnum, Float. For example:

irb(main):014:0> :a.frozen?
=> true
irb(main):015:0> :a.tainted?
=> false
irb(main):016:0> str = Marshal.dump([:a]).taint
=> "\x04\b[\x06:\x06a"
irb(main):017:0> aa = Marshal.load(str)
=> [:a]
irb(main):018:0> aa.tainted?
=> true
irb(main):019:0> aa.first.frozen?
=> true
irb(main):020:0> aa.first.tainted?
=> false
Eabad423977cfc6873b8f5df62b848a6?d=identicon&s=25 unknown (Guest)
on 2014-01-30 05:19
(Received via mailing list)
Issue #8945 has been updated by Hiroshi SHIBATA.

Target version changed from 2.1.0 to current: 2.2.0

----------------------------------------
Bug #8945: Unmarshaling an Array containing a Bignum from a tainted
String returns a frozen, tainted Bignum
https://bugs.ruby-lang.org/issues/8945#change-44719

* Author: Brian Shirai
* Status: Open
* Priority: Normal
* Assignee:
* Category:
* Target version: current: 2.2.0
* ruby -v: ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN
----------------------------------------
In 2.1, Symbol, Fixnum, Bignum, and Float (at least) have been changed
to frozen by default. Consequently, calling #taint on an instance of
those classes raises a RuntimeError because a frozen object cannot be
modified to be tainted. However:

sasha:rbx brian$ ruby -v
ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
sasha:rbx brian$ irb
irb(main):001:0> a = 0xffff_ffff_ffff_ffff
=> 18446744073709551615
irb(main):002:0> a.class
=> Bignum
irb(main):003:0> a.frozen?
=> true
irb(main):004:0> a.tainted?
=> false
irb(main):005:0> str = Marshal.dump([a]).taint
=> "\x04\b[\x06l+\t\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
irb(main):006:0> str.tainted?
=> true
irb(main):007:0> aa = Marshal.load(str)
=> [18446744073709551615]
irb(main):008:0> aa.first.class
=> Bignum
irb(main):009:0> aa.first.frozen?
=> true
irb(main):010:0> aa.first.tainted?
=> true
irb(main):011:0>

The behavior above is inconsistent with the results of performing the
same operations on instances of Symbol, Fixnum, Float. For example:

irb(main):014:0> :a.frozen?
=> true
irb(main):015:0> :a.tainted?
=> false
irb(main):016:0> str = Marshal.dump([:a]).taint
=> "\x04\b[\x06:\x06a"
irb(main):017:0> aa = Marshal.load(str)
=> [:a]
irb(main):018:0> aa.tainted?
=> true
irb(main):019:0> aa.first.frozen?
=> true
irb(main):020:0> aa.first.tainted?
=> false
F1d6cc2b735bfd82c8773172da2aeab9?d=identicon&s=25 Nobuyoshi Nakada (nobu)
on 2014-02-07 13:58
(Received via mailing list)
Issue #8945 has been updated by Nobuyoshi Nakada.

Category set to core
Status changed from Open to Assigned
Assignee set to Yukihiro Matsumoto

As `Bignum` instances are frozen now, it feels reasonable that they
never be tainted, IMO.

----------------------------------------
Bug #8945: Unmarshaling an Array containing a Bignum from a tainted
String returns a frozen, tainted Bignum
https://bugs.ruby-lang.org/issues/8945#change-45011

* Author: Brian Shirai
* Status: Assigned
* Priority: Normal
* Assignee: Yukihiro Matsumoto
* Category: core
* Target version: current: 2.2.0
* ruby -v: ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN
----------------------------------------
In 2.1, Symbol, Fixnum, Bignum, and Float (at least) have been changed
to frozen by default. Consequently, calling #taint on an instance of
those classes raises a RuntimeError because a frozen object cannot be
modified to be tainted. However:

sasha:rbx brian$ ruby -v
ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
sasha:rbx brian$ irb
irb(main):001:0> a = 0xffff_ffff_ffff_ffff
=> 18446744073709551615
irb(main):002:0> a.class
=> Bignum
irb(main):003:0> a.frozen?
=> true
irb(main):004:0> a.tainted?
=> false
irb(main):005:0> str = Marshal.dump([a]).taint
=> "\x04\b[\x06l+\t\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
irb(main):006:0> str.tainted?
=> true
irb(main):007:0> aa = Marshal.load(str)
=> [18446744073709551615]
irb(main):008:0> aa.first.class
=> Bignum
irb(main):009:0> aa.first.frozen?
=> true
irb(main):010:0> aa.first.tainted?
=> true
irb(main):011:0>

The behavior above is inconsistent with the results of performing the
same operations on instances of Symbol, Fixnum, Float. For example:

irb(main):014:0> :a.frozen?
=> true
irb(main):015:0> :a.tainted?
=> false
irb(main):016:0> str = Marshal.dump([:a]).taint
=> "\x04\b[\x06:\x06a"
irb(main):017:0> aa = Marshal.load(str)
=> [:a]
irb(main):018:0> aa.tainted?
=> true
irb(main):019:0> aa.first.frozen?
=> true
irb(main):020:0> aa.first.tainted?
=> false
0ec4920185b657a03edf01fff96b4e9b?d=identicon&s=25 unknown (Guest)
on 2014-02-08 14:05
(Received via mailing list)
Issue #8945 has been updated by Yukihiro Matsumoto.


Agreed.  It should be consistent here.

Matz.


----------------------------------------
Bug #8945: Unmarshaling an Array containing a Bignum from a tainted
String returns a frozen, tainted Bignum
https://bugs.ruby-lang.org/issues/8945#change-45025

* Author: Brian Shirai
* Status: Assigned
* Priority: Normal
* Assignee: Yukihiro Matsumoto
* Category: core
* Target version: current: 2.2.0
* ruby -v: ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN
----------------------------------------
In 2.1, Symbol, Fixnum, Bignum, and Float (at least) have been changed
to frozen by default. Consequently, calling #taint on an instance of
those classes raises a RuntimeError because a frozen object cannot be
modified to be tainted. However:

sasha:rbx brian$ ruby -v
ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
sasha:rbx brian$ irb
irb(main):001:0> a = 0xffff_ffff_ffff_ffff
=> 18446744073709551615
irb(main):002:0> a.class
=> Bignum
irb(main):003:0> a.frozen?
=> true
irb(main):004:0> a.tainted?
=> false
irb(main):005:0> str = Marshal.dump([a]).taint
=> "\x04\b[\x06l+\t\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
irb(main):006:0> str.tainted?
=> true
irb(main):007:0> aa = Marshal.load(str)
=> [18446744073709551615]
irb(main):008:0> aa.first.class
=> Bignum
irb(main):009:0> aa.first.frozen?
=> true
irb(main):010:0> aa.first.tainted?
=> true
irb(main):011:0>

The behavior above is inconsistent with the results of performing the
same operations on instances of Symbol, Fixnum, Float. For example:

irb(main):014:0> :a.frozen?
=> true
irb(main):015:0> :a.tainted?
=> false
irb(main):016:0> str = Marshal.dump([:a]).taint
=> "\x04\b[\x06:\x06a"
irb(main):017:0> aa = Marshal.load(str)
=> [:a]
irb(main):018:0> aa.tainted?
=> true
irb(main):019:0> aa.first.frozen?
=> true
irb(main):020:0> aa.first.tainted?
=> false
F1d6cc2b735bfd82c8773172da2aeab9?d=identicon&s=25 Nobuyoshi Nakada (nobu)
on 2014-02-08 18:14
(Received via mailing list)
Issue #8945 has been updated by Nobuyoshi Nakada.

Status changed from Assigned to Closed
% Done changed from 0 to 100

Applied in changeset r44891.

----------
marshal.c: Numerics are not tainted

* include/ruby/ruby.h (OBJ_TAINTABLE, OBJ_TAINT, OBJ_INFECT),
  marshal.c (r_entry0): all Numerics never be tainted now.
  [ruby-core:57346] [Bug #8945]

----------------------------------------
Bug #8945: Unmarshaling an Array containing a Bignum from a tainted
String returns a frozen, tainted Bignum
https://bugs.ruby-lang.org/issues/8945#change-45029

* Author: Brian Shirai
* Status: Closed
* Priority: Normal
* Assignee: Yukihiro Matsumoto
* Category: core
* Target version: current: 2.2.0
* ruby -v: ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN
----------------------------------------
In 2.1, Symbol, Fixnum, Bignum, and Float (at least) have been changed
to frozen by default. Consequently, calling #taint on an instance of
those classes raises a RuntimeError because a frozen object cannot be
modified to be tainted. However:

sasha:rbx brian$ ruby -v
ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
sasha:rbx brian$ irb
irb(main):001:0> a = 0xffff_ffff_ffff_ffff
=> 18446744073709551615
irb(main):002:0> a.class
=> Bignum
irb(main):003:0> a.frozen?
=> true
irb(main):004:0> a.tainted?
=> false
irb(main):005:0> str = Marshal.dump([a]).taint
=> "\x04\b[\x06l+\t\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
irb(main):006:0> str.tainted?
=> true
irb(main):007:0> aa = Marshal.load(str)
=> [18446744073709551615]
irb(main):008:0> aa.first.class
=> Bignum
irb(main):009:0> aa.first.frozen?
=> true
irb(main):010:0> aa.first.tainted?
=> true
irb(main):011:0>

The behavior above is inconsistent with the results of performing the
same operations on instances of Symbol, Fixnum, Float. For example:

irb(main):014:0> :a.frozen?
=> true
irb(main):015:0> :a.tainted?
=> false
irb(main):016:0> str = Marshal.dump([:a]).taint
=> "\x04\b[\x06:\x06a"
irb(main):017:0> aa = Marshal.load(str)
=> [:a]
irb(main):018:0> aa.tainted?
=> true
irb(main):019:0> aa.first.frozen?
=> true
irb(main):020:0> aa.first.tainted?
=> false
8cbb39dadafaf2287a83a13ee4981ec9?d=identicon&s=25 unknown (Guest)
on 2014-02-14 05:15
(Received via mailing list)
Issue #8945 has been updated by Usaku NAKAMURA.

Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: REJECTED,
2.0.0: UNKNOWN

IMO this is a feature change, although it is close to a bug infinite.
So, I decided this not to backport into 1.9.3.


----------------------------------------
Bug #8945: Unmarshaling an Array containing a Bignum from a tainted
String returns a frozen, tainted Bignum
https://bugs.ruby-lang.org/issues/8945#change-45117

* Author: Brian Shirai
* Status: Closed
* Priority: Normal
* Assignee: Yukihiro Matsumoto
* Category: core
* Target version: current: 2.2.0
* ruby -v: ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
* Backport: 1.9.3: REJECTED, 2.0.0: UNKNOWN
----------------------------------------
In 2.1, Symbol, Fixnum, Bignum, and Float (at least) have been changed
to frozen by default. Consequently, calling #taint on an instance of
those classes raises a RuntimeError because a frozen object cannot be
modified to be tainted. However:

sasha:rbx brian$ ruby -v
ruby 2.1.0dev (2013-09-24 trunk 43025) [x86_64-darwin13.0.0]
sasha:rbx brian$ irb
irb(main):001:0> a = 0xffff_ffff_ffff_ffff
=> 18446744073709551615
irb(main):002:0> a.class
=> Bignum
irb(main):003:0> a.frozen?
=> true
irb(main):004:0> a.tainted?
=> false
irb(main):005:0> str = Marshal.dump([a]).taint
=> "\x04\b[\x06l+\t\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
irb(main):006:0> str.tainted?
=> true
irb(main):007:0> aa = Marshal.load(str)
=> [18446744073709551615]
irb(main):008:0> aa.first.class
=> Bignum
irb(main):009:0> aa.first.frozen?
=> true
irb(main):010:0> aa.first.tainted?
=> true
irb(main):011:0>

The behavior above is inconsistent with the results of performing the
same operations on instances of Symbol, Fixnum, Float. For example:

irb(main):014:0> :a.frozen?
=> true
irb(main):015:0> :a.tainted?
=> false
irb(main):016:0> str = Marshal.dump([:a]).taint
=> "\x04\b[\x06:\x06a"
irb(main):017:0> aa = Marshal.load(str)
=> [:a]
irb(main):018:0> aa.tainted?
=> true
irb(main):019:0> aa.first.frozen?
=> true
irb(main):020:0> aa.first.tainted?
=> false
This topic is locked and can not be replied to.