Issue #4451 has been updated by tadayoshi funaba.

Status changed from Assigned to Rejected


----------------------------------------
Bug #4451: Date#step does not raise ArgumentError for 0 step
http://redmine.ruby-lang.org/issues/4451

Author: Jeremy Evans
Status: Rejected
Priority: Low
Assignee: tadayoshi funaba
Category: lib
Target version: 
ruby -v: ruby 1.9.3dev (2011-02-16 trunk 30888) [x86_64-openbsd4.9]


=begin
Numeric#step:

$ ruby -e '1.step(2, 0){}'
-e:1:in `step': step can't be 0 (ArgumentError)
        from -e:1:in `<main>'

Range#step:

$ ruby -r date -e '(0..1).step(0){}'
-e:1:in `step': step can't be 0 (ArgumentError)
        from -e:1:in `<main>'

Date#step:

ruby -r date -e 'Date.today.step(Date.today, 0){}'
# infinite loop

There is already a check for this in date.rb, but it is commented out.  It was added in r13408, over 3 years ago.  The lack of this check can cause a denial of service if the step value is controlled by the attacker.  The attached patch enables the check and adds a test for it.
=end



-- 
http://redmine.ruby-lang.org