Project

General

Profile

Actions
Copy link

Bug #5508

closed

Is BigDecimal really not $SAFE?

Added by angdraug (Dmitry Borodaenko) about 13 years ago. Updated almost 12 years ago.

Status:
Closed
Assignee:
mrkn (Kenta Murata)
Target version:
2.0.0
ruby -v:
ruby 1.9.3dev (2011-09-23 revision 33323) [x86_64-linux]
Backport:
[ruby-core:40510]

Description

Why does BigDecimal call SafeStringValue?

irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
from (irb):1:in new' from (irb):1 from /usr/bin/irb:12:in '

Compare with:

irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
=> 1
irb(main):002:0> i.tainted?
=> false

I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().

Actions
Copy link
 #1 [ruby-core:40598]

Updated by mrkn (Kenta Murata) about 13 years ago

  • Assignee set to mrkn (Kenta Murata)
  • Target version set to 2.0.0
Actions
Copy link
 #2

Updated by shyouhei (Shyouhei Urabe) over 12 years ago

  • Status changed from Open to Assigned
Actions
Copy link
 #3

Updated by mrkn (Kenta Murata) almost 12 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r38147.
Dmitry, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0