From: eregontp@...
Date: 2017-12-27T23:16:50+00:00
Subject: [ruby-core:84531] [Ruby trunk Feature#14225] untaint hash key	strings

Issue #14225 has been updated by Eregon (Benoit Daloze).


I think we should remove tainting as a whole along with $SAFE.
Untainting automatically seems bad practice and counter-intuitive.

----------------------------------------
Feature #14225: untaint hash key strings
https://bugs.ruby-lang.org/issues/14225#change-69059

* Author: normalperson (Eric Wong)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
Since we are working on deprecating and removing $SAFE for [Feature #5455],
I propose untainting all string keys used for hashes in Ruby 2.6.

It will make implementing [Feature #13725] (fstring dedupe of hash keys) easier.

Furthermore, Perl (which I assume is the influence for tainting in Ruby) does
not taint hash keys.  In fact, perlsec(1) manpage states:
"Hash keys are never tainted"
cf. http://perldoc.perl.org/perlsec.html




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>