Hi,

At Tue, 17 Oct 2006 18:12:15 +0900,
Nobuyoshi Nakada wrote in [ruby-core:09215]:
> > What exactly is the result of this patch? The security behaviour of
> > ruby functions should be defined and documented much more precisely.
> 
> To make underlying shared string untainted, but the patch was wrong.

A new patch.


* string.c (rb_str_substr): should be infected with only original
  string, but not the shared string.  [ruby-core:09152]


Index: string.c =================================================================== RCS file: /cvs/ruby/src/ruby/string.c,v retrieving revision 1.286 diff -p -U 2 -r1.286 string.c --- string.c 16 Oct 2006 23:07:07 -0000 1.286 +++ string.c 17 Oct 2006 15:00:04 -0000 @@ -204,5 +204,4 @@ str_new3(VALUE klass, VALUE str) FL_SET(str2, ELTS_SHARED); } - OBJ_INFECT(str2, str); return str2; @@ -212,5 +211,8 @@ VALUE rb_str_new3(VALUE str) { - return str_new3(rb_obj_class(str), str); + VALUE str2 = str_new3(rb_obj_class(str), str); + + OBJ_INFECT(str2, str); + return str2; } @@ -636,5 +638,6 @@ rb_str_substr(VALUE str, long beg, long else if (len > RSTRING_EMBED_LEN_MAX && beg + len == RSTRING_LEN(str) && !STR_ASSOC_P(str)) { - str2 = rb_str_new3(rb_str_new4(str)); + str2 = rb_str_new4(str); + str2 = str_new3(rb_obj_class(str2), str); RSTRING(str2)->as.heap.ptr += RSTRING_LEN(str2) - len; RSTRING(str2)->as.heap.len = len;
-- Nobu Nakada