Issue #7325 has been updated by mame (Yusuke Endoh).

Status changed from Open to Assigned
Assignee set to shugo (Shugo Maeda)
Target version set to 2.0.0

Summarized:

  p Integer.tainted? #=> false
  Marshal.load(Marshal.dump(Integer).taint)
  p Integer.tainted? #=> expected: false, actual: true

Indeed, it looks weird.  Shugo-san, what do you think?

-- 
Yusuke Endoh <mame / tsg.ne.jp>
----------------------------------------
Bug #7325: Marshal#load taints classes if they are referenced in a marsheled object
https://bugs.ruby-lang.org/issues/7325#change-33844

Author: urielka (Uriel Katz)
Status: Assigned
Priority: Normal
Assignee: shugo (Shugo Maeda)
Category: 
Target version: 2.0.0
ruby -v: ruby 1.9.3p327 (2012-11-10 revision 37606) [x86_64-linux]


=begin
= Reproducing steps:
ruby taint.rb

= Output of this script in my computer running 1.9.3-p327:
 Before marshal is tainted?: false
 After marshal is tainted?: true
 Safe level when calling tainted method using call: 4
 Safe level when calling tainted method directly: 0

= Expected:
MyObject#test shouldn't be tainted as it was defined in my own source and what was saved into the file is just a reference to MyObject class ("\u0004\bc\rMyObject")

= Actual:
MyObject#test is tainted and calling it using Method#call will make it run in safe-level 4.


= Some background on how I got to this issue:
I wrote some RPC code that accepts a class and method name and does the invocation,the way I call the method is getting the method from the instance using something like: "cls_instance.method(method_name).call" 

I used Rails.cache with FileStore (which uses Marshal#load from file) to cache a object that had references to classes.

After reading from the cache all other requests saw the classes as tainted and when calling the methods they ran at $SAFE=4 which caused it to fail (even puts doesn't work at that level :)

This issue also made me understand that there is 2 potential bugs in Rails.
=end



-- 
http://bugs.ruby-lang.org/