irb(main):001:0> t = “p ‘hello world’”.taint
=> "p ‘hello world’"
irb(main):002:0> s = t.intern
=> 
'hello world’
irb(main):003:0> s.tainted?
=> false
Is this a security vulnerability?
···
–
John Long
http://wiseheartdesign.com
John W. Long wrote:
irb(main):001:0> t = “p ‘hello world’”.taint
=> “p ‘hello world’”
irb(main):002:0> s = t.intern
=>‘hello world’
irb(main):003:0> s.tainted?
=> falseIs this a security vulnerability?
At first it appears to be since you can then do
irb(main):006:0> $SAFE=1
=> 1
irb(main):006:0> eval s.to_s
“hello world”
=> nil
However I don’t think this will actually cause any security problems
since you need to ask yourself why your program would take a string from
an external source, convert it to a symbol and then back into a string
again.
···
–
Mark Sparshatt
irb(main):001:0> t = “p ‘hello world’”.taint
=> “p ‘hello world’”
irb(main):002:0> s = t.intern
=>
irb(main):003:0> s.tainted?
=> falseIs this a security vulnerability?
I can’t answer that, but see the following case:
$SAFE=1
ut = “‘Hello world’” # untainted string
us = ut.intern # untainted symbol
t = gets.chomp # → happens to be ‘Hello world’
s = t.intern # tainted
now ‘us’ points to a tainted symbol… I think that would be
undesirable…
t = gets.chomp # -> happens to be 'Hello world'
s = t.intern # tainted
svg% ruby -e 't = "aa"; t.taint; p t.intern.tainted?'
false
svg%
Guy Decoux
---- Carlos wrote: ----
$SAFE=1
ut = “‘Hello world’” # untainted string
us = ut.intern # untainted symbolt = gets.chomp # → happens to be ‘Hello world’
s = t.intern # taintednow ‘us’ points to a tainted symbol… I think that would be
undesirable…
I’m not quite sure what you are trying to point out here. In the above
example ‘us’ would always be untainted. To my mind ‘us’ should have the same
taint that the string it was created from had.
···
–
John Long
http://wiseheartdesign.com
t = gets.chomp # → happens to be ‘Hello world’
s = t.intern # taintedsvg% ruby -e ‘t = “aa”; t.taint; p t.intern.tainted?’
false
svg%
It was hypotetical example to show why I think it is a bad idea to
transmit taint with #intern.
$SAFE=1
ut = “‘Hello world’” # untainted string
us = ut.intern # untainted symbolt = gets.chomp # → happens to be ‘Hello world’
s = t.intern # taintednow ‘us’ points to a tainted symbol… I think that would be
undesirable…I’m not quite sure what you are trying to point out here. In the above
example ‘us’ would always be untainted. To my mind ‘us’ should have the same
taint that the string it was created from had.
‘us’ and ‘s’ refer to the same object.
Symbols are like Fixnums; there is only one object for each different
symbol. So, “aa”.id != “aa”.id, but “aa”.intern.id == “aa”.intern.id.