Project

General

Profile

Actions

Bug #7499

closed

public_send can be used to invoke protected methods

Added by alindeman (Andy Lindeman) almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.0.0dev (2012-12-03) [x86_64-darwin12.2.1]
Backport:
[ruby-core:50489]

Description

class Foo
def bar
"wtf?"
end
protected :bar

def invoke_bar
public_send(:bar)
end
end

puts Foo.public_send(:bar) rescue puts "error; this seems normal"

puts Foo.new.invoke_bar

The last statement outputs "wtf?" on:

* 1.9.3p194

* 1.9.3p327

* ruby-head (2012-12-03)

The last statement raises a NoMethodError on:

* JRuby 1.7.0

* rubinius 2.0.0dev 2279857e

I /expected/ the NoMethodError behavior


Files

bug-7499.patch (2.7 KB) bug-7499.patch Anonymous, 12/03/2012 08:10 PM

Updated by Anonymous almost 12 years ago

rb_method_call_status checks the value of 'self' at the callsite to determine whether protected methods can be called.

Unfortunately this means calls to protected methods via public_send will erroneously succeed if they are in the right scope.

To fix this, I changed the meaning of Qundef as the 'self' argument to rb_call0. Formerly, Qundef meant 'use the self from the current control frame'. Now, Qundef means 'do not consider self so protected methods cannot be called'. I have updated the few calls to rb_call0 to fetch 'self' from the control frame manually. As rb_call0 and rb_method_call_status are static, there is no concern for ABI breakage.

Actions #3

Updated by nobu (Nobuyoshi Nakada) almost 12 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r38223.
Andy, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


vm_eval.c: public_send does not consider how it is called

  • vm_eval.c (rb_method_call_status): use Qundef as no self instead of
    the current self.
  • vm_eval.c (send_internal): public_send does not consider how it is
    called, as mentioned in r14173. patched by charliesome (Charlie
    Somerville). [ruby-core:50489] [Bug #7499]
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0