Issue #5072 has been updated by Jeremy Evans.

File 0002-Fix-handling-of-respond_to_missing-after-r32621.patch added

I guess the observation does fail for respond_to?, but it should hold for the other methods (both the ones in here #5072 and the ones in #5079).  I've attached a patch here to fix the respond_to_missing? override case, but of course that would remove the protection for any class that overrides respond_to_missing?.  One way to workaround this is to relax the spec so that respond_to_missing is allowed to receive a string instead of a symbol as the first argument.
----------------------------------------
Feature #5072: Avoid inadvertent symbol creation in reflection methods
http://redmine.ruby-lang.org/issues/5072

Author: Jeremy Evans
Status: Assigned
Priority: Normal
Assignee: Nobuyoshi Nakada
Category: core
Target version: 


I recently discovered a denial of service vulnerability in ActiveRecord's mass assignment methods related to the insecure use of ruby's reflection methods (e.g. respond_to?).  Because these methods take strings and automatically create symbols from them, they are not safe to call with a string coming from the user.  Because they create the symbol internally, they look safe, but if you pass user-created strings to these methods, you open yourself up to denial of service through memory exhaustion (see http://sequel.heroku.com/2011/07/16/dangerous-reflection/).

This could be fixed using a fairly simple observation, which is that if you do:

  respond_to?("foo")

and "foo" is not already in the symbol table, no method named "foo" can exist.  So this code provides a patch that changes the reflection methods to return false immediately if given a string which doesn't already exist in the symbol table.  There should be no performance impact from this, since the symbol table lookup has to be done anyway.

I'm also adding an earlier patch I wrote that adds String#interned?, for checking if a string is already interned.  There was an internal method for this added in r10932, but it must have been removed while the prototype was left in intern.h.  String#interned? allows a user to check if a string is already in the symbol table, and can be used by user code to ensure that symbols are not created inadvertently.


-- 
http://redmine.ruby-lang.org