Hi,

On Tue, Oct 17, 2006 at 12:11:55AM +0900, Nobuyoshi Nakada wrote:
> 
> OK, it is a bug related to taint flag of shared string.
> 
> -	str2 = rb_str_new3(rb_str_new4(str));
> +	str2 = rb_str_new4(str);
> +	FL_UNSET(str2, FL_TAINT);
> +	str2 = rb_str_new3(str2);


Many thanks.

What exactly is the result of this patch? The security behaviour of
ruby functions should be defined and documented much more precisely. 


IMHO the results of regexp matching (which includes all results like
$1,$2,..., $' $and the boolean value) should be tainted if and only
if either the input string or the pattern is tainted. 

Is this the case?


regards
Hadmut