Actions
Bug #20481
closedUntrusted Marshal data can overwrite class/module instance variables
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.3.1 (2024-04-23 revision c56cd86388) [x86_64-linux]
Description
The following code snippet shows how class/module instance variables can be overwritten in Ruby. Checked on Ruby 3.3.1.
class <<Object; attr_reader :foo; end
p Object.foo
# => nil
# Marshal.load("\x04\x08Ic\x0BObject\x06:\x09@fooi\x2F")
# # => can't override instance variable of class `Object' (TypeError)
# p Object.foo
# # => nil
Marshal.load("\x04\x08[\x07c\x0BObjectI@\x06\x06:\x09@fooi\x2F")
# => [Object, Object]
p Object.foo
# => 42
Although it is the program author's responsibility to trust Marshal data, there was an attempt to disallow write to a class instance variable and it is considered a bug that one can circumvent this check.
This bug was once submitted to HackerOne, just in case this is considered a security vulnerability, and it was concluded that the bug actually isn't.
Updated by nobu (Nobuyoshi Nakada) 8 months ago
- Status changed from Open to Closed
Applied in changeset git|8b9b150512b7b9514143a6b971992c9a539ead2f.
[Bug #20481] Check for unmarshaling ivar
Prohibit setting instance variables of existing classes and modules
via link.
Actions
Like0
Like0