Seems like a bug to me.

I filed #8161 (and 8162 for the doc).


On Sun, Mar 24, 2013 at 4:58 AM, Nikolai Weibull <now / bitwi.se> wrote:

> On Sat, Mar 23, 2013 at 10:42 PM, Nikolai Weibull <now / bitwi.se> wrote:
> > On Sat, Mar 23, 2013 at 8:30 PM, KOSAKI Motohiro
> > <kosaki.motohiro / gmail.com> wrote:
> >> On Sat, Mar 23, 2013 at 2:45 PM, Nikolai Weibull <now / bitwi.se> wrote:
>
> >>> Why doesn=92t String#+ return an untrusted result if self or other is
> untrusted?
>
> >> IIUC, untrusted mean an object was created from untrusted code (i.e.
> $SAFE >=3D3).
>
> > OK, so the reasoning then is that since String#+ creates a result that
> > contains data from outside of the receiver, untrust isn=92t inherited,
> > whereas with String#slice and String#downcase the whole result comes
> > from an untrusted source and thus untrust is inherited.
>
> (This explanation isn=92t consistent with String#center, String#ljust,
> and String#rjust, as their results inherit untrust from the padding
> argument, so there must be something deeper going on here.)
>
>