Project

General

Profile

Actions

Bug #5508

closed

Is BigDecimal really not $SAFE?

Added by angdraug (Dmitry Borodaenko) over 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Target version:
ruby -v:
ruby 1.9.3dev (2011-09-23 revision 33323) [x86_64-linux]
Backport:
[ruby-core:40510]

Description

Why does BigDecimal call SafeStringValue?

irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
from (irb):1:in new' from (irb):1 from /usr/bin/irb:12:in '

Compare with:

irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
=> 1
irb(main):002:0> i.tainted?
=> false

I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().

Updated by mrkn (Kenta Murata) over 10 years ago

  • Assignee set to mrkn (Kenta Murata)
  • Target version set to 2.0.0
Actions #2

Updated by shyouhei (Shyouhei Urabe) about 10 years ago

  • Status changed from Open to Assigned
Actions #3

Updated by mrkn (Kenta Murata) over 9 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r38147.
Dmitry, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


Actions

Also available in: Atom PDF