Issue #9564 has been reported by Jan Rusnacko.

----------------------------------------
Bug #9564: Tainted string permitted in Kernel.trap in safe level 1
https://bugs.ruby-lang.org/issues/9564

* Author: Jan Rusnacko
* Status: Open
* Priority: Normal
* Assignee: 
* Category: 
* Target version: 
* ruby -v: all?
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
According to the existing documentation (I am referring to Programming Ruby: The
Pragmatic Programmer's Guide at http://ruby-doc.com/docs/ProgrammingRuby/ and
The Ruby Programming Language by Flanagan, Matsumoto) Kernel.trap should not
accept a tainted string if $SAFE >= 1.

However, this is true only for $SAFE >= 2, and tainted signal string is accepted
in safe level 1:

signal = "SIGKILL".taint

Thread.start {
  $SAFE = 1
  # no exception
  trap(signal) { puts 'foo'}
}.join

Thread.start {
  $SAFE = 2
  # throws SecurityError
  trap(signal) { puts 'foo'}
}.join



-- 
http://bugs.ruby-lang.org/