From: Kenta Murata <muraken@...>
Date: 2011-11-01T12:56:03+09:00
Subject: [ruby-core:40598] [ruby-trunk - Bug #5508] Is BigDecimal really not $SAFE?


Issue #5508 has been updated by Kenta Murata.

Assignee set to Kenta Murata
Target version set to 2.0.0


----------------------------------------
Bug #5508: Is BigDecimal really not $SAFE?
http://redmine.ruby-lang.org/issues/5508

Author: Dmitry Borodaenko
Status: Open
Priority: Normal
Assignee: Kenta Murata
Category: ext
Target version: 2.0.0
ruby -v: ruby 1.9.3dev (2011-09-23 revision 33323) [x86_64-linux]


Why does BigDecimal call SafeStringValue?

irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
        from (irb):1:in `new'
        from (irb):1
        from /usr/bin/irb:12:in `<main>'

Compare with:

irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
=> 1
irb(main):002:0> i.tainted?
=> false

I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().


-- 
http://redmine.ruby-lang.org