Issue #14060 has been updated by znz (Kazuhiro NISHIYAMA).


I checked.

- In `gemspec_stubs_in`, `dir` is tainted
- In caller, `default_specifications_dir` is tainted
- In `rubygems/basic_specification.rb`, `Gem.default_dir` is tainted
- In `default_dir`, `RbConfig::CONFIG['rubylibprefix']` is tainted in my environment

In rbconfig, `TOPDIR.tainted?` changed.

```
% rbenv each ruby -vrrbconfig -e 'p RbConfig::TOPDIR.tainted?'
ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]
false
ruby 2.5.0dev (2017-10-30 trunk 60579) [x86_64-linux]
true
```

Using `git bisect`, `TOPDIR.tainted?` is true since r59984.

----------------------------------------
Bug #14060: SecurityError with $SAFE=1 when requiring an untainted path
https://bugs.ruby-lang.org/issues/14060#change-67646

* Author: philr3 (Phil Ross)
* Status: Assigned
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version: 
* ruby -v: ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
Calling `Kernel#require` with `$SAFE=1` on Ruby 2.5.0preview1 results in a `SecurityError` when the path being required is not tainted:

~~~ ruby
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
        from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
        from (irb):5
        from /home/philr/.rbenv/versions/2.5.0-preview1/bin/irb:11:in `<main>'
irb(main):006:0> $:.find_all {|p| p.tainted? }
=> []
~~~

I would expect the `SecurityError` to be raised only when the path being required is tainted. For example, on Ruby 2.4.2:

~~~ ruby
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
=> true
irb(main):006:0> tainted_f = 'fileutils'.taint
=> "fileutils"
irb(main):007:0> tainted_f.tainted?
=> true
irb(main):008:0> require tainted_f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from (irb):8
        from /home/philr/.rbenv/versions/2.4.2/bin/irb:11:in `<main>'
~~~




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>