[#46049] [ruby-trunk - Feature #6590] Dealing with bigdecimal, etc gems in JRuby — "mrkn (Kenta Murata)" <muraken@...>
4 messages
2012/07/01
[#46078] [ruby-trunk - Feature #2565] adding hooks for better tracing — "mame (Yusuke Endoh)" <mame@...>
4 messages
2012/07/01
[#46108] Re: [ruby-trunk - Feature #2565] adding hooks for better tracing
— Aaron Patterson <tenderlove@...>
2012/07/02
On Mon, Jul 02, 2012 at 03:06:59AM +0900, mame (Yusuke Endoh) wrote:
[#46127] [ruby-trunk - Feature #2565] adding hooks for better tracing — "vo.x (Vit Ondruch)" <v.ondruch@...>
4 messages
2012/07/03
[#46160] [ruby-trunk - Feature #6693][Open] Don't warn for unused variables starting with _ — "marcandre (Marc-Andre Lafortune)" <ruby-core@...>
15 messages
2012/07/04
[#46163] [ruby-trunk - Feature #6695][Open] Configuration for Thread/Fiber creation — "ko1 (Koichi Sasada)" <redmine@...>
7 messages
2012/07/04
[#46172] [ruby-trunk - Feature #6697][Open] [PATCH] Add Kernel#Symbol conversion method like String(), Array() etc. — "madeofcode (Mark Dodwell)" <mark@...>
7 messages
2012/07/04
[#46236] [ruby-trunk - Bug #6704][Open] Random core dump — "trans (Thomas Sawyer)" <transfire@...>
7 messages
2012/07/07
[#46248] building ruby-1.9.3-p194 on AIX 6.1 TL05 SP06 — Perry Smith <pedzsan@...>
I am just now starting to debug this but hoped someone has already =
10 messages
2012/07/08
[#46251] Re: building ruby-1.9.3-p194 on AIX 6.1 TL05 SP06
— Yutaka Kanemoto <kinpoco@...>
2012/07/08
Hi Perry
[#46252] Re: building ruby-1.9.3-p194 on AIX 6.1 TL05 SP06
— Perry Smith <pedzsan@...>
2012/07/08
[#46254] Re: building ruby-1.9.3-p194 on AIX 6.1 TL05 SP06
— Perry Smith <pedzsan@...>
2012/07/08
[#46259] Re: building ruby-1.9.3-p194 on AIX 6.1 TL05 SP06
— Perry Smith <pedzsan@...>
2012/07/09
[#46266] Re: building ruby-1.9.3-p194 on AIX 6.1 TL05 SP06
— Yutaka Kanemoto <kinpoco@...>
2012/07/09
Hi Perry,
[#46262] [ruby-trunk - Feature #6710][Open] new special binding specifier :isolated — "ko1 (Koichi Sasada)" <redmine@...>
8 messages
2012/07/09
[#46276] Lambdaification of Method Calls — Robert Klemme <shortcutter@...>
Hi,
3 messages
2012/07/09
[#46320] [ruby-trunk - Feature #6721][Open] Object#yield_self — "alexeymuranov (Alexey Muranov)" <redmine@...>
25 messages
2012/07/11
[#46339] [ruby-trunk - Bug #6724][Open] waaaaaaant! ( — "zenspider (Ryan Davis)" <redmine@...>
11 messages
2012/07/11
[#46537] Re: [ruby-trunk - Bug #6724][Open] waaaaaaant! (
— Aaron Patterson <tenderlove@...>
2012/07/17
On Thu, Jul 12, 2012 at 08:58:36AM +0900, zenspider (Ryan Davis) wrote:
[#46540] Re: [ruby-trunk - Bug #6724][Open] waaaaaaant! (
— Luis Lavena <luislavena@...>
2012/07/18
On Tue, Jul 17, 2012 at 6:27 PM, Aaron Patterson
[#46377] [ruby-trunk - Feature #6727][Open] Add Array#rest (with implementation) — "duckinator (Nick Markwell)" <nick@...>
25 messages
2012/07/13
[#46420] [ruby-trunk - Feature #6731][Open] add new method "Object.present?" as a counter to #empty? — "rogerdpack (Roger Pack)" <rogerpack2005@...>
4 messages
2012/07/14
[#46500] [ruby-trunk - Feature #6739][Open] One-line rescue statement should support specifying an exception class — Quintus (Marvin Gülker) <sutniuq@...>
22 messages
2012/07/15
[#46535] [ruby-trunk - Bug #6749][Open] rdoc of Time class (incorrect explanation of leap seconds) — "stomar (Marcus Stollsteimer)" <redmine@...>
7 messages
2012/07/17
[#46687] [ruby-trunk - Bug #6749] rdoc of Time class (incorrect explanation of leap seconds)
— "drbrain (Eric Hodel)" <drbrain@...7.net>
2012/07/23
[#46713] Re: [ruby-trunk - Bug #6749] rdoc of Time class (incorrect explanation of leap seconds)
— sto.mar@...
2012/07/24
Hi Eric,
[#46734] Re: [ruby-trunk - Bug #6749] rdoc of Time class (incorrect explanation of leap seconds)
— Eric Hodel <drbrain@...7.net>
2012/07/24
On Jul 23, 2012, at 11:52 PM, sto.mar@web.de wrote:
[#46763] Re: [ruby-trunk - Bug #6749] rdoc of Time class (incorrect explanation of leap seconds)
— sto.mar@...
2012/07/25
Am 24.07.2012 19:44, schrieb Eric Hodel:
[#46546] Fwd: [ruby-cvs:43609] ko1:r36433 (trunk): * thread.c (rb_thread_call_without_gvl2): added. — SASADA Koichi <ko1@...>
Hi,
4 messages
2012/07/18
[#46547] Re: Fwd: [ruby-cvs:43609] ko1:r36433 (trunk): * thread.c (rb_thread_call_without_gvl2): added.
— Eric Wong <normalperson@...>
2012/07/18
SASADA Koichi <ko1@atdot.net> wrote:
[#46553] [ruby-trunk - Feature #2565] adding hooks for better tracing — "tenderlovemaking (Aaron Patterson)" <aaron@...>
4 messages
2012/07/18
[#46564] Ruby under CI - Windows — Luis Lavena <luislavena@...>
Hello,
6 messages
2012/07/20
[#46574] [ruby-trunk - Feature #6762][Open] Control interrupt timing — "ko1 (Koichi Sasada)" <redmine@...>
39 messages
2012/07/20
[#46575] [ruby-trunk - Feature #6762] Control interrupt timing
— "ko1 (Koichi Sasada)" <redmine@...>
2012/07/20
[#46576] Re: [ruby-trunk - Feature #6762] Control interrupt timing
— Eric Wong <normalperson@...>
2012/07/20
"ko1 (Koichi Sasada)" <redmine@ruby-lang.org> wrote:
[#48390] [ruby-trunk - Feature #6762] Control interrupt timing
— "ko1 (Koichi Sasada)" <redmine@...>
2012/10/26
[#50542] Re: [ruby-trunk - Feature #6762][Open] Control interrupt timing
— Brent Roman <brent@...>
2012/12/03
I was suggesting "interruptible" as a better alternative for
[#46577] [ruby-trunk - Feature #6763][Open] Introduce Flonum technique to speedup floating computation on th 64bit environment — "ko1 (Koichi Sasada)" <redmine@...>
7 messages
2012/07/20
[#46586] [ruby-trunk - Bug #6764][Open] IO#read(size, buf) causes can't set length of shared string in trunk (2.0.0dev) — "nahi (Hiroshi Nakamura)" <nakahiro@...>
4 messages
2012/07/21
[#46641] [ruby-trunk - Bug #6780][Open] cannot compile zlib module, when cross-compiling. — "jinleileiking (lei king)" <jinleileiking@...>
14 messages
2012/07/23
[#46686] [ruby-trunk - Bug #6784][Open] Test failures related to numeric with x64 mingw — "h.shirosaki (Hiroshi Shirosaki)" <h.shirosaki@...>
5 messages
2012/07/23
[#46741] [ruby-trunk - Bug #6789][Open] parse.y compilation error due not updated id.h — "luislavena (Luis Lavena)" <luislavena@...>
8 messages
2012/07/24
[#46742] [ruby-trunk - Bug #6789][Assigned] parse.y compilation error due not updated id.h
— "luislavena (Luis Lavena)" <luislavena@...>
2012/07/24
[#46744] [ruby-trunk - Bug #6791][Open] ext/js on/generator/generator.c fails to compile on nightly build (AIX 6.1) — "pedz (Perry Smith)" <pedz@...>
4 messages
2012/07/25
[#46752] Re: [ruby-trunk - Bug #6791][Open] ext/js on/generator/generator.c fails to compile on nightly build (AIX 6.1)
— Yutaka Kanemoto <kinpoco@...>
2012/07/25
Hi Perry,
[#46772] Ruby 1.9.3 release? — Charles Oliver Nutter <headius@...>
JRuby will soon release 1.7.0pre2, the second preview of 1.7. Perhaps
6 messages
2012/07/25
[#46847] Re: Ruby 1.9.3 release?
— "NARUSE, Yui" <naruse@...>
2012/07/29
(2012/07/26 7:07), Charles Oliver Nutter wrote:
[#46864] Re: Ruby 1.9.3 release?
— Luis Lavena <luislavena@...>
2012/07/29
On Sat, Jul 28, 2012 at 10:59 PM, NARUSE, Yui <naruse@airemix.jp> wrote:
[#46792] [ruby-trunk - Bug #6799][Open] Digest::*.hexdigest returns an ASCII-8BIT String — "Eregon (Benoit Daloze)" <redmine@...>
11 messages
2012/07/26
[#46832] [ruby-trunk - Bug #6807][Open] Can't compile ruby without ruby — "devcurmudgeon (Paul Sherwood)" <storitel@...>
13 messages
2012/07/28
[#46834] [ruby-trunk - Feature #6808][Open] Implicit index for enumerations — "trans (Thomas Sawyer)" <transfire@...>
15 messages
2012/07/28
[#46838] [ruby-trunk - Bug #6810][Open] `module A::B; end` is not equivalent to `module A; module B; end; end` with respect to constant lookup (scope) — "alexeymuranov (Alexey Muranov)" <redmine@...>
17 messages
2012/07/28
[#46854] [ruby-trunk - Feature #6811][Open] File, Dir and FileUtils should have bang-versions of singleton methods that fails silently — "prijutme4ty (Ilya Vorontsov)" <prijutme4ty@...>
7 messages
2012/07/29
[#46896] (Half-baked DRAFT) new `require' framework — SASADA Koichi <ko1@...>
Hi,
22 messages
2012/07/31
[#46897] Re: (Half-baked DRAFT) new `require' framework
— =?KOI8-R?B?4NLJyiDzz8vPzM/X?= <funny.falcon@...>
2012/07/31
2012/7/31 SASADA Koichi <ko1@atdot.net>
[#46899] Re: (Half-baked DRAFT) new `require' framework
— Alex Young <alex@...>
2012/07/31
On 31/07/12 13:29, SASADA Koichi wrote:
[#46902] Re: (Half-baked DRAFT) new `require' framework
— Trans <transfire@...>
2012/07/31
On Tue, Jul 31, 2012 at 12:07 PM, Alex Young <alex@blackkettle.org> wrote:
[#46903] Re: (Half-baked DRAFT) new `require' framework
— Clifford Heath <clifford.heath@...>
2012/07/31
On 01/08/2012, at 5:59 AM, Trans wrote:
[#47040] Re: (Half-baked DRAFT) new `require' framework
— SASADA Koichi <ko1@...>
2012/08/07
(2012/07/31 21:29), SASADA Koichi wrote:
[#47054] Re: (Half-baked DRAFT) new `require' framework
— Rocky Bernstein <rockyb@...>
2012/08/07
If one is considering importing archive files like zip, tar, jar, or gem, I
[#47056] Re: (Half-baked DRAFT) new `require' framework
— Charles Oliver Nutter <headius@...>
2012/08/07
On Tue, Aug 7, 2012 at 8:48 AM, Rocky Bernstein <rockyb@rubyforge.org> wrote:
[ruby-core:46334] [ruby-trunk - Bug #5374] Weird SecurityError with ruby1.9, File.stat/Dir.glob and $SAFE=1
From:
"375gnu (Hleb Valoshka)" <redmine@...>
Date:
2012-07-11 22:38:12 UTC
List:
ruby-core #46334
Issue #5374 has been updated by 375gnu (Hleb Valoshka).
nobu (Nobuyoshi Nakada) wrote:
> Does this happen with recent versions?
Yes, at least with 1.9.3p194 (2012-04-20 revision 35410) [x86_64-linux].
And today I've made some investigations.
File.stat is rb_file_s_stat, which calls rb_get_path, which calls rb_get_path_check, which at very end calls rb_str_new4, which actually is rb_str_new_frozen.
As value passed to rb_str_new_frozen (filename) isn't frozen, it creates new string (see file string.c, line 679):
if (STR_SHARED_P(orig) && (str = RSTRING(orig)->as.heap.aux.shared)) {...} and that "new" string is returned to rb_get_path_check.
*This str is tainted!*
I also have found more simple way to reproduce the bug:
ruby -e '$SAFE=1;File.stat(("12345678901234567890123"+"4".taint).dup.untaint)'
Argument to stat sh'ld be at least 24 bytes on 64bit box.
I haven't checked again bug with glob on Win32, but suppose that it has the same nature but it didn't expressed itself on my Debian boxes cause they are 64bit. In few days I can check it on 32bit Debian.
----------------------------------------
Bug #5374: Weird SecurityError with ruby1.9, File.stat/Dir.glob and $SAFE=1
https://bugs.ruby-lang.org/issues/5374#change-27953
Author: 375gnu (Hleb Valoshka)
Status: Feedback
Priority: Normal
Assignee: mame (Yusuke Endoh)
Category: core
Target version: 2.0.0
ruby -v: ruby 1.9.2p180 (2011-02-18) [i386-mingw32]
Preface.
I've tried to find workaroud for one GetText-Ruby bug with untainted data from Dir.glob (http://rubyforge.org//tracker/?func=detail&atid=3377&aid=28336&group_id=855).
Here it is (full text is in gettext-test.rb):
module GetText
class MOFile
alias :oldload :load
def load(arg)
arg = arg.dup.untaint if arg.kind_of? String
oldload(arg)
end
end
end
It works fine with ruby 1.8, but with 1.9 with debug enabled there is a
message about exception SecurityError:
Exception `SecurityError' at /usr/lib/ruby/1.9.1/gettext/runtime/mofile.rb:75 - Insecure operation - stat
The corresponding code is
74 begin
75 st = File.stat(arg)
76 @last_modified = [st.ctime, st.mtime]
77 rescue Exception
78 end
I've put line
warn "$SAFE == #{$SAFE}; arg.tainted? == #{arg.tainted?}"
before it, and it says:
$SAFE == 1; arg.tainted? == false
So why the exception is if arg is NOT tainted? Note: it was discovered on Debian
GNU/Linux box with 1.9.3preview1. Full log is in gettext-debian.log
Going further.
I've made very simple test program which mimics GetTExt-Ruby and workaround for
it, see test.rb in attachment.
This program was tested on Win32 box with 1.9.2-p180 and -p290.
Been run as "ruby -T1 test.rb u" output was clean. But been run as "ruby -T1
test.rb t" or "ruby -T1 test.rb t" is had an exception on files test1234.txt
and test12345.txt (see full test.log in attachment). 't' means "send tainted
object to function", 'u' means "send untainted", 'b' means "send tainted, then
untainted". But on Debian box it outputs NO error.
At last, I have run test for GetText on win box, and it failed with exception
Exception `SecurityError' at C:/fsc.tmp/gettext/runtime/locale_path.rb:90 - Insecure operation - glob
Log is in gettext-win.log
But whether Dir.glob is insecure with $SAFE==1?
--
http://bugs.ruby-lang.org/