From: Kenta Murata Date: 2011-11-01T12:56:03+09:00 Subject: [ruby-core:40598] [ruby-trunk - Bug #5508] Is BigDecimal really not $SAFE? Issue #5508 has been updated by Kenta Murata. Assignee set to Kenta Murata Target version set to 2.0.0 ---------------------------------------- Bug #5508: Is BigDecimal really not $SAFE? http://redmine.ruby-lang.org/issues/5508 Author: Dmitry Borodaenko Status: Open Priority: Normal Assignee: Kenta Murata Category: ext Target version: 2.0.0 ruby -v: ruby 1.9.3dev (2011-09-23 revision 33323) [x86_64-linux] Why does BigDecimal call SafeStringValue? irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint) SecurityError: Insecure operation - new from (irb):1:in `new' from (irb):1 from /usr/bin/irb:12:in `
' Compare with: irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i => 1 irb(main):002:0> i.tainted? => false I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new(). -- http://redmine.ruby-lang.org