Forum: Ruby-core Tainted string permitted in Kernel.trap in safe level 1

8cbb39dadafaf2287a83a13ee4981ec9?d=identicon&s=25 unknown (Guest)
on 2014-02-25 18:08
(Received via mailing list)
Issue #9564 has been updated by Usaku NAKAMURA.


Since r1827 (at Nov.13,2001), trap checks intentionally whether the
block is tainted or not, but never checks the first parameter (signal
name).
So, I guess that it's documentations' fault.

----------------------------------------
Bug #9564: Tainted string permitted in Kernel.trap in safe level 1
https://bugs.ruby-lang.org/issues/9564#change-45476

* Author: Jan Rusnacko
* Status: Open
* Priority: Normal
* Assignee:
* Category:
* Target version:
* ruby -v: all?
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
According to the existing documentation (I am referring to Programming
Ruby: The
Pragmatic Programmer's Guide at
http://ruby-doc.com/docs/ProgrammingRuby/ and
The Ruby Programming Language by Flanagan, Matsumoto) Kernel.trap should
not
accept a tainted string if $SAFE >= 1.

However, this is true only for $SAFE >= 2, and tainted signal string is
accepted
in safe level 1:

signal = "SIGKILL".taint

Thread.start {
  $SAFE = 1
  # no exception
  trap(signal) { puts 'foo'}
}.join

Thread.start {
  $SAFE = 2
  # throws SecurityError
  trap(signal) { puts 'foo'}
}.join
This topic is locked and can not be replied to.