H
Hadmut Danisch
Hi,
I have a ruby program which fetches some web pages, and for security
reasons I have set $SAFE to 1 or 2. Since then I am hunting a strange
problem with tainted values.
Within the program, I have a (definitely untainted) variable url
containing the URL to get. At a later point the interpreter complains
about using a tainted variable which was derived with a regular
expression. I have inserted some debugging code and it boils down to
puts "UUU #{url} #{url.tainted?}"
case url
when /(.)/
puts "AAA #{$1} #{$1.tainted?}"
end
which prints
UUU http://www.ruby-lang.org false
AAA h true
But when I put this code snippet into a separate file
#!/usr/bin/ruby
$SAFE=2
url="http://www.ruby-lang.org"
puts "UUU #{url} #{url.tainted?}"
case url
when /(.)/
puts "AAA #{$1} #{$1.tainted?}"
end
it prints
UUU http://www.danisch.de false
AAA h false
Why would the regular expression give a tainted result in the first
case, but not in the separate example, which appears to be the very same
code? Any side effect?
Hadmut
I have a ruby program which fetches some web pages, and for security
reasons I have set $SAFE to 1 or 2. Since then I am hunting a strange
problem with tainted values.
Within the program, I have a (definitely untainted) variable url
containing the URL to get. At a later point the interpreter complains
about using a tainted variable which was derived with a regular
expression. I have inserted some debugging code and it boils down to
puts "UUU #{url} #{url.tainted?}"
case url
when /(.)/
puts "AAA #{$1} #{$1.tainted?}"
end
which prints
UUU http://www.ruby-lang.org false
AAA h true
But when I put this code snippet into a separate file
#!/usr/bin/ruby
$SAFE=2
url="http://www.ruby-lang.org"
puts "UUU #{url} #{url.tainted?}"
case url
when /(.)/
puts "AAA #{$1} #{$1.tainted?}"
end
it prints
UUU http://www.danisch.de false
AAA h false
Why would the regular expression give a tainted result in the first
case, but not in the separate example, which appears to be the very same
code? Any side effect?
Hadmut