Ruby Issue Tracking System: Issueshttps://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112018-02-18T17:25:26ZRuby Issue Tracking System
Redmine Ruby master - Bug #14485 (Closed): For File#path.tainted? and File#to_path.tainted? should match ...https://redmine.ruby-lang.org/issues/144852018-02-18T17:25:26Ztscheingeld (Terry Scheingeld)
<p>Problem: if you create a File object using an untainted path, File#path and File#to_path return identical strings except they are tainted. That's counter-intuitive. If the input path has been properly vetted then File should not taint it.</p>
<p>Here's a simple example which produces a security violation:</p>
<pre><code>#!/usr/bin/ruby -w
$SAFE = 1
path = './myfile.txt'
file = File.open(path, 'r')
File.exist?(file.path)
</code></pre>
<p>which gives us this error:</p>
<pre><code>./to-path.rb:5:in `exist?': Insecure operation - exist? (SecurityError)
from ./to-path.rb:5:in `<main>'
</code></pre>
<p>In this example, path isn't tainted because it was created in the program. However, file.path, which is an identical string (i.e. not normalized) is tainted.</p>
<p>This issue became a problem in rack/lint. (Not sure how to tell which version.) Lint tries to do some optimizing, but crashes in these lines:</p>
<pre><code>if @body.respond_to?(:to_path)
assert("The file identified by body.to_path does not exist") {
::File.exist? @body.to_path
}
end
</code></pre> Ruby master - Feature #13518 (Rejected): Indented multiline commentshttps://redmine.ruby-lang.org/issues/135182017-04-28T02:47:37Ztscheingeld (Terry Scheingeld)
<p>I'd like to submit the idea that multiline comments could be indented. That is, <code>=begin</code> and <code>=end</code> do not have to start at column zero. That would allow for more flexibility in documenting and commenting code.</p>