Issue #5508 has been reported by Dmitry Borodaenko.

----------------------------------------
Bug #5508: Is BigDecimal really not $SAFE?
http://redmine.ruby-lang.org/issues/5508

Author: Dmitry Borodaenko
Status: Open
Priority: Normal
Assignee: 
Category: ext
Target version: 
ruby -v: ruby 1.9.3dev (2011-09-23 revision 33323) [x86_64-linux]


Why does BigDecimal call SafeStringValue?

irb(main):001:0> $SAFE = 1; BigDecimal.new('1'.taint)
SecurityError: Insecure operation - new
        from (irb):1:in `new'
        from (irb):1
        from /usr/bin/irb:12:in `<main>'

Compare with:

irb(main):001:0> $SAFE = 1; i = '1'.taint.to_i
=> 1
irb(main):002:0> i.tainted?
=> false

I think it makes a lot more sense to validate the input within BigDecimal, rather than validate and untaint the string before passing it to BigDecimal.new().


-- 
http://redmine.ruby-lang.org