On Wed, Feb 13, 2013 at 11:16:31AM +0900, shugo (Shugo Maeda) wrote:
> 
> Issue #7839 has been updated by shugo (Shugo Maeda).
> 
> 
> phluid61 (Matthew Kerwin) wrote:
> > Also, would you expect to be able to thaw it out again?  It might be enough in the short term to, e.g.
> >     begin
> >       Symbol.freeze_symbols
> >       YAML.load(...)
> >     ensure
> >       Symbol.thaw_symbols
> >     end

I think having a freeze and thaw would be fine.

> If this is a main use case of Symbol.freeze_symbols, it might be better to have String#intern's option to control whether a symbol creation is allowed and to make YAML.safe_load to use it.
> 
>    :foo
>    "foo".intern #=> :foo
>    "bar".intern #=> :bar
>    "foo".intern(allow_new: false) #=> :foo
>    "bar".intern(allow_new: false) #=> error

The problem with this is we can be calling foreign code.  We have to
force all library authors to use it.  Library authors may not expect
that calls to ".intern" will be fed user input.

Most security issues we have to deal with (even the YAML example) are
cases where we do not expect to process foreign input.

> I guess it can be implemented easily compared to Symbol GC.

Even freezing and thawing would definitely be easier than Symbol GC.

-- 
Aaron Patterson
http://tenderlovemaking.com/