tainted symbols?

J

John W. Long

irb(main):001:0> t = "p 'hello world'".taint
=> "p 'hello world'"
irb(main):002:0> s = t.intern
=> :p 'hello world'
irb(main):003:0> s.tainted?
=> false

Is this a security vulnerability?
 
M

Mark

John said:
irb(main):001:0> t = "p 'hello world'".taint
=> "p 'hello world'"
irb(main):002:0> s = t.intern
=> :p 'hello world'
irb(main):003:0> s.tainted?
=> false

Is this a security vulnerability?
Click to expand...
At first it appears to be since you can then do

irb(main):006:0> $SAFE=1
=> 1
irb(main):006:0> eval s.to_s
"hello world"
=> nil

However I don't think this will actually cause any security problems
since you need to ask yourself why your program would take a string from
an external source, convert it to a symbol and then back into a string
again.
 
C

Carlos

irb(main):001:0> t = "p 'hello world'".taint
=> "p 'hello world'"
irb(main):002:0> s = t.intern
=> :p 'hello world'
irb(main):003:0> s.tainted?
=> false

Is this a security vulnerability?
Click to expand...

I can't answer that, but see the following case:

$SAFE=1

ut = "'Hello world'" # untainted string
us = ut.intern # untainted symbol

t = gets.chomp # -> happens to be 'Hello world'
s = t.intern # tainted

now 'us' points to a tainted symbol... I think that would be
undesirable...
 
T

ts

C> t = gets.chomp # -> happens to be 'Hello world'
C> s = t.intern # tainted

svg% ruby -e 't = "aa"; t.taint; p t.intern.tainted?'
false
svg%



Guy Decoux
 
C

Carlos

C> t = gets.chomp # -> happens to be 'Hello world'
C> s = t.intern # tainted

svg% ruby -e 't = "aa"; t.taint; p t.intern.tainted?'
false
svg%
Click to expand...

It was hypotetical example to show why I think it is a bad idea to
transmit taint with #intern.
 
J

John W. Long

---- Carlos wrote: ----
$SAFE=1

ut = "'Hello world'" # untainted string
us = ut.intern # untainted symbol

t = gets.chomp # -> happens to be 'Hello world'
s = t.intern # tainted

now 'us' points to a tainted symbol... I think that would be
undesirable...
Click to expand...

I'm not quite sure what you are trying to point out here. In the above
example 'us' would always be untainted. To my mind 'us' should have the same
taint that the string it was created from had.
 
C

Carlos

$SAFE=1
I'm not quite sure what you are trying to point out here. In the above
example 'us' would always be untainted. To my mind 'us' should have the same
taint that the string it was created from had.
Click to expand...

'us' and 's' refer to the same object.

Symbols are like Fixnums; there is only one object for each different
symbol. So, "aa".id != "aa".id, but "aa".intern.id == "aa".intern.id.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

=== is not a symmetric operator? 4
Where's A? 2
Class instance method 2
Windows directories not recognized by ruby? 5
split question 5
string decrement 0
local vars clobbered by un-run code 11
class context 1

Members online

Total: 33 (members: 1, guests: 32)
Robots: 422

Forum statistics

Threads
473,768
Messages
2,569,575
Members
45,051
Latest member
CarleyMcCr

Latest Threads

Top