Issue #15998 has been updated by Eregon (Benoit Daloze). matz (Yukihiro Matsumoto) wrote: > `taint` states will be removed from the language in the near future, along with `$SAFE`. Do you think it will be removed for Ruby 2.7, or 3.0 maybe? I searched for a ticket but could not find one for removing tainting. ---------------------------------------- Feature #15998: Allow String#-@ to deduplicate tainted string, but return an untainted one https://bugs.ruby-lang.org/issues/15998#change-79375 * Author: byroot (Jean Boussier) * Status: Feedback * Priority: Normal * Assignee: * Target version: ---------------------------------------- Patch: https://github.com/ruby/ruby/pull/2287 There was a previous attempt by Eric Wong to allow deduplication of tainted strings, but it was reverted because of unknown CI issues: https://github.com/ruby/ruby/commit/0493b1ce3a4 The previous approach was trying to segregate tainted fstrings from untainted ones. This patch is different. Instead it returns an untainted fstring. The rationale is that `String#-@` purpose is to deduplicate string we know will stay in memory for long if not until exit, hence I'd argue that by doing so we're implicitly trusting them. A typical usage for instance is: ```ruby CONFIG = YAML.load_file('path/to/config.yml').transform_keys { |k| -k }.freeze ``` Except the above currently doesn't work because YAML returns tainted instances when it reads from a file, so instead you have to do: ```ruby CONFIG = YAML.load_file('path/to/config.yml').transform_keys { |k| -(+k).untaint }.freeze ``` Which is fairly inefficient and unexpected. Several time I wondered why `-@` wouldn't deduplicate strings until I noticed they were tainted. -- https://bugs.ruby-lang.org/ Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>