Strange problem with regular expressions and tainted values

Hadmut_Danisch5 · 27 October 2005 20:47

Hi,

I have a ruby program which fetches some web pages, and for security
reasons I have set $SAFE to 1 or 2. Since then I am hunting a strange
problem with tainted values.

Within the program, I have a (definitely untainted) variable url
containing the URL to get. At a later point the interpreter complains
about using a tainted variable which was derived with a regular
expression. I have inserted some debugging code and it boils down to

puts "UUU #{url} #{url.tainted?}"

    case url
      when /(.)/
  puts "AAA #{$1} #{$1.tainted?}"
    end

which prints

UUU http://www.ruby-lang.org false
AAA h true

But when I put this code snippet into a separate file

#!/usr/bin/ruby

$SAFE=2

url="http://www.ruby-lang.org"
puts "UUU #{url} #{url.tainted?}"

  case url
    when /(.)/
      puts "AAA #{$1} #{$1.tainted?}"
  end

it prints

UUU http://www.danisch.de false
AAA h false

Why would the regular expression give a tainted result in the first
case, but not in the separate example, which appears to be the very same
code? Any side effect?

Hadmut

Topic		Replies	Views
1.8.4 untaint behavior ruby-talk	3	108	18 January 2006
ENV variables and tainted input ruby-talk	1	124	6 July 2012
Symbols and tainting ruby-talk	4	83	2 December 2002
Eval + taint problem ruby-talk	5	66	5 March 2004
Security riddle with $SAFE and untainted strings ruby-talk	0	143	23 August 2005

Strange problem with regular expressions and tainted values

Related topics