Bug #7499
closed
public_send can be used to invoke protected methods
Description
class Foo
def bar
"wtf?"
end
protected :bar
def invoke_bar
public_send(:bar)
end
end
puts Foo.public_send(:bar) rescue puts "error; this seems normal"
puts Foo.new.invoke_bar
The last statement outputs "wtf?" on:¶
* 1.9.3p194¶
* 1.9.3p327¶
* ruby-head (2012-12-03)¶
The last statement raises a NoMethodError on:¶
* JRuby 1.7.0¶
* rubinius 2.0.0dev 2279857e¶
I /expected/ the NoMethodError behavior¶
Files
Updated by Anonymous almost 12 years ago
- File bug-7499.patch bug-7499.patch added
rb_method_call_status checks the value of 'self' at the callsite to determine whether protected methods can be called.
Unfortunately this means calls to protected methods via public_send will erroneously succeed if they are in the right scope.
To fix this, I changed the meaning of Qundef as the 'self' argument to rb_call0. Formerly, Qundef meant 'use the self from the current control frame'. Now, Qundef means 'do not consider self so protected methods cannot be called'. I have updated the few calls to rb_call0 to fetch 'self' from the control frame manually. As rb_call0 and rb_method_call_status are static, there is no concern for ABI breakage.
Updated by marcandre (Marc-Andre Lafortune) almost 12 years ago
Looks good to me.
Updated by nobu (Nobuyoshi Nakada) almost 12 years ago
- Status changed from Open to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r38223.
Andy, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
vm_eval.c: public_send does not consider how it is called
- vm_eval.c (rb_method_call_status): use Qundef as no self instead of
the current self. - vm_eval.c (send_internal): public_send does not consider how it is
called, as mentioned in r14173. patched by charliesome (Charlie
Somerville). [ruby-core:50489] [Bug #7499]