Issue #7499 has been updated by charliesome (Charlie Somerville).

File bug-7499.patch added

rb_method_call_status checks the value of 'self' at the callsite to determine whether protected methods can be called.

Unfortunately this means calls to protected methods via public_send will erroneously succeed if they are in the right scope.

To fix this, I changed the meaning of Qundef as the 'self' argument to rb_call0. Formerly, Qundef meant 'use the self from the current control frame'. Now, Qundef means 'do not consider self so protected methods cannot be called'. I have updated the few calls to rb_call0 to fetch 'self' from the control frame manually. As rb_call0 and rb_method_call_status are static, there is no concern for ABI breakage.


----------------------------------------
Bug #7499: public_send can be used to invoke protected methods
https://bugs.ruby-lang.org/issues/7499#change-34358

Author: alindeman (Andy Lindeman)
Status: Open
Priority: Normal
Assignee: 
Category: 
Target version: 
ruby -v: ruby 2.0.0dev (2012-12-03) [x86_64-darwin12.2.1]


class Foo
  def bar
    "wtf?"
  end
  protected :bar

  def invoke_bar
    public_send(:bar)
  end
end

puts Foo.public_send(:bar) rescue puts "error; this seems normal"

puts Foo.new.invoke_bar

# The last statement outputs "wtf?" on:
# * 1.9.3p194
# * 1.9.3p327
# * ruby-head (2012-12-03)

# The last statement raises a NoMethodError on:
# * JRuby 1.7.0
# * rubinius 2.0.0dev 2279857e
#
# I /expected/ the NoMethodError behavior



-- 
http://bugs.ruby-lang.org/