From: Eric Wong <normalperson@...>
Date: 2017-12-27T23:35:52+00:00
Subject: [ruby-core:84534] Re: [Ruby trunk Feature#14225] untaint hash key strings

eregontp@gmail.com wrote:
> Issue #14225 has been updated by Eregon (Benoit Daloze).
> 
> 
> I think we should remove tainting as a whole along with $SAFE.

Agreed.

> Untainting automatically seems bad practice and counter-intuitive.

It wouldn't untaint the actual non-frozen string; but the frozen
copy which is auto-created when a non-frozen string is used as a
hash key.  In other words, it should become:

	h = {}
	f = 'foo'.taint
	h[f] = :bar
	h.keys[0].taint? # => false (true in <= 2.5)

	# In any version of Ruby, it'll stay:
	h.keys[0].object_id != f
	# unless f is already frozen

Anyways, I think the change to remove taint should be gradual
(like $SAFE removal) so people ahve time to adapt; and this is
one step.

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>