From: crojasaragonez@...
Date: 2014-09-06T20:11:31+00:00
Subject: [ruby-core:64816] [ruby-trunk - Bug #10209] attr_reader	vulnerability

Issue #10209 has been updated by Carlos Luis Rojas.


Output:

"Original atributes:"
"-------------------------"
"value"
[1, 2, 3, 4]
{:name=>"Carlos", :age=>25}
"-------------------------"
"After Hacking attributes:"
"-------------------------"
""
[]
{}
"-------------------------"

----------------------------------------
Bug #10209: attr_reader vulnerability
https://bugs.ruby-lang.org/issues/10209#change-48696

* Author: Carlos Luis Rojas
* Status: Open
* Priority: Normal
* Assignee: 
* Category: core
* Target version: 
* ruby -v: ruby 2.0.0p247 (2013-06-27) [i586-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
It is possible to change a read_only class attribute:

~~~
require 'pp'
class Attributes
  attr_reader :string, :array, :hash
  def initialize
    @string = 'value'
    @array = [1, 2, 3, 4]
    @hash = { name: 'Carlos', age: 25 }
  end
end

instance = Attributes.new
pp 'Original atributes:'
pp '-------------------------'
pp instance.string
pp instance.array
pp instance.hash
pp '-------------------------'

# bang!!
# this should not afect the original atribute.
instance.string.gsub!(/.*/, '')
instance.array.clear
instance.hash.clear

pp 'After Hacking attributes:'
pp '-------------------------'
pp instance.string
pp instance.array
pp instance.hash
pp '-------------------------'
~~~

---Files--------------------------------
attributes.rb (628 Bytes)


-- 
https://bugs.ruby-lang.org/