On Wed, Feb 13, 2013 at 05:15:25PM +0900, alexeymuranov (Alexey Muranov) wrote:
> 
> Issue #7839 has been updated by alexeymuranov (Alexey Muranov).
> 
> 
> Sorry about a na?ve idea, but what would you say about prohibiting interning tainted strings instead?

It seems like a good idea, except that tainting is not reliable.  For
example:

  irb(main):001:0> require 'json'
  => true
  irb(main):002:0> user_input = "{\"foo\":\"bar\"}".taint
  => "{\"foo\":\"bar\"}"
  irb(main):003:0> user_input.tainted?
  => true
  irb(main):004:0> params = JSON.parse user_input
  => {"foo"=>"bar"}
  irb(main):005:0> params['foo'].tainted?
  => false

In this case, a tainted string becomes untainted.  I guess it's OK for
tainted strings to become untainted, but how is someone supposed to
verify if the JSON is safe without first parsing the JSON before sending
the JSON to the JSON parser?  My head is spinning.

C extension authors need to use rb_tainted_str*, but most of them just
use rb_str_new.  You can increase $SAFE high enough that all objects are
tainted on creation, but nobody uses $SAFE (I think MRI is the only
implementation of Ruby that has it).

In short:  :-(

-- 
Aaron Patterson
http://tenderlovemaking.com/