From: usa@...
Date: 2014-02-25T17:07:34+00:00
Subject: [ruby-core:61081] [ruby-trunk - Bug #9564] Tainted string permitted in Kernel.trap in safe level 1

Issue #9564 has been updated by Usaku NAKAMURA.


Since r1827 (at Nov.13,2001), trap checks intentionally whether the block is tainted or not, but never checks the first parameter (signal name).
So, I guess that it's documentations' fault.

----------------------------------------
Bug #9564: Tainted string permitted in Kernel.trap in safe level 1
https://bugs.ruby-lang.org/issues/9564#change-45476

* Author: Jan Rusnacko
* Status: Open
* Priority: Normal
* Assignee: 
* Category: 
* Target version: 
* ruby -v: all?
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
According to the existing documentation (I am referring to Programming Ruby: The
Pragmatic Programmer's Guide at http://ruby-doc.com/docs/ProgrammingRuby/ and
The Ruby Programming Language by Flanagan, Matsumoto) Kernel.trap should not
accept a tainted string if $SAFE >= 1.

However, this is true only for $SAFE >= 2, and tainted signal string is accepted
in safe level 1:

signal = "SIGKILL".taint

Thread.start {
  $SAFE = 1
  # no exception
  trap(signal) { puts 'foo'}
}.join

Thread.start {
  $SAFE = 2
  # throws SecurityError
  trap(signal) { puts 'foo'}
}.join



-- 
http://bugs.ruby-lang.org/