Hi,

At Mon, 16 Oct 2006 17:16:56 +0900,
Hadmut Danisch wrote in [ruby-core:09198]:
> 
> [1  <text/plain; us-ascii (7bit)>]
> On Sun, Oct 15, 2006 at 05:33:16PM +0900, Eric Hodel wrote:
> > 
> > Please attach the testcase.
> 
> 
> OK, i have stripped down the testcase further. The program does not
> make much sense anymore, but still shows the bug:

OK, it is a bug related to taint flag of shared string.

This would be the minimal code.

  n, = (u = "abcdefghijkl".taint[/.*/].untaint).split(/:/)
  p [u.tainted?, n.tainted?] #=> [false, true]


* string.c (rb_str_substr): keep hidden shared string untainted.


Index: string.c =================================================================== RCS file: /cvs/ruby/src/ruby/string.c,v retrieving revision 1.182.2.53 diff -p -U 2 -r1.182.2.53 string.c --- string.c 7 Oct 2006 15:55:00 -0000 1.182.2.53 +++ string.c 16 Oct 2006 15:09:55 -0000 @@ -611,5 +611,7 @@ rb_str_substr(str, beg, len) else if (len > sizeof(struct RString)/2 && beg + len == RSTRING(str)->len && !FL_TEST(str, STR_ASSOC)) { - str2 = rb_str_new3(rb_str_new4(str)); + str2 = rb_str_new4(str); + FL_UNSET(str2, FL_TAINT); + str2 = rb_str_new3(str2); RSTRING(str2)->ptr += RSTRING(str2)->len - len; RSTRING(str2)->len = len;
-- Nobu Nakada