Issue #14225 has been reported by normalperson (Eric Wong).

----------------------------------------
Feature #14225: untaint hash key strings
https://bugs.ruby-lang.org/issues/14225

* Author: normalperson (Eric Wong)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
Since we are working on deprecating and removing $SAFE for [Feature #5455],
I propose untainting all string keys used for hashes in Ruby 2.6.

It will make implementing [Feature #13725] (fstring dedupe of hash keys) easier.

Furthermore, Perl (which I assume is the influence for tainting in Ruby) does
not taint hash keys.  In fact, perlsec(1) manpage states:
"Hash keys are never tainted"
cf. http://perldoc.perl.org/perlsec.html




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>