From: Aaron Patterson Date: 2013-02-14T09:26:52+09:00 Subject: [ruby-core:52233] Re: [ruby-trunk - Feature #7839] Symbol.freeze_symbols On Wed, Feb 13, 2013 at 05:15:25PM +0900, alexeymuranov (Alexey Muranov) wrote: > > Issue #7839 has been updated by alexeymuranov (Alexey Muranov). > > > Sorry about a na�ve idea, but what would you say about prohibiting interning tainted strings instead? It seems like a good idea, except that tainting is not reliable. For example: irb(main):001:0> require 'json' => true irb(main):002:0> user_input = "{\"foo\":\"bar\"}".taint => "{\"foo\":\"bar\"}" irb(main):003:0> user_input.tainted? => true irb(main):004:0> params = JSON.parse user_input => {"foo"=>"bar"} irb(main):005:0> params['foo'].tainted? => false In this case, a tainted string becomes untainted. I guess it's OK for tainted strings to become untainted, but how is someone supposed to verify if the JSON is safe without first parsing the JSON before sending the JSON to the JSON parser? My head is spinning. C extension authors need to use rb_tainted_str*, but most of them just use rb_str_new. You can increase $SAFE high enough that all objects are tainted on creation, but nobody uses $SAFE (I think MRI is the only implementation of Ruby that has it). In short: :-( -- Aaron Patterson http://tenderlovemaking.com/