Actions
Bug #5508
closedIs BigDecimal really not $SAFE?
Description
Why does BigDecimal call SafeStringValue?
irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
from (irb):1:in new' from (irb):1 from /usr/bin/irb:12:in
'
Compare with:
irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
=> 1
irb(main):002:0> i.tainted?
=> false
I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().
Updated by mrkn (Kenta Murata) about 13 years ago
- Assignee set to mrkn (Kenta Murata)
- Target version set to 2.0.0
Updated by shyouhei (Shyouhei Urabe) almost 13 years ago
- Status changed from Open to Assigned
Updated by mrkn (Kenta Murata) about 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r38147.
Dmitry, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
- ext/bigdecimal/bigdecimal.c (BigDecimal_new): stop checking string
taintness. [Bug #5508] [ruby-core:40510]
Actions
Like0
Like0Like0Like0