>>>>> "D" == Dave Thomas <Dave / thomases.com> writes:

D> I'm trying to document all the various taint checks in the
D> interpreter. So far I have:

D> $SAFE >= 1
D>   * The environment variables RUBYOPT and RUBYLIB are not
D>     processed.
D>   * The command line options -e, -i, -I, -r, -s, -S, and -x are
D>     not allowed.
D>   * The current directory is not added to the path.

 Only if $SAFE >= 1 when ruby_init() is called, this mean I think :
  * only for setuid, setgid script (see init_ids)
  * embedded applications.

 This is a difference with perl (I think), i.e. :
   '#!/usr/bin/perl -T' don't have the same effect than 
   '#!/usr/bin/ruby -T' 

 With $SAFE >= 1, ruby use also Check_SafeStr(), this mean that some
 operations are not allowed when the string is tainted

D>   * Processes cannot be exec'd from \CF{\$PATH} if any directory
D>     in it is world-writable.
  
D> $SAFE >= 2
D>   * Can't load file in world-writable directory.
D>   * Can't load a file from a tainted filename starting with ~.

  dir.c
    * chdir, chroot, mkdir, rmdir
  file.c
    * fstat, lstat, chmod, chown, umask, truncate, flock
  io.c
    * ioctl, syscall
  process.c
    * fork
  signal.c
    * kill, trap
 
  
D> $SAFE >= 3
D>   * All objects are created tainted.

 can't untaint an object

D> $SAFE >= 4

    eval.c
     * exit, abort
     * load, require on object files (.so) it's possible to load a .rb (???)
    gc.c
       * id2ref

D>   * Can't close or reopen non-tainted files.

    io.c
       * write, close, syswrite, reopen, putc
    process.c
       * exit_bang

D> Am I missing anything obvious, and does this list make sense?

 There are many "Can't" :-) but some operations are possible when an object
 is tainted (this is also very different from perl). See :

    if (rb_safe_level() >= 4 && !OBJ_TAINTED(obj))



Guy Decoux

p.s.: this is mostly for 1.4.* perhaps there are some change in 1.5, I don't
know.