Yukihiro Matsumoto wrote:

> Hi,

Moin!

> Thank you for the report.  I will fix this soon, but the
> SystemStackError object will remain reused.

First of all: Thanks for fixing this so fast! :)

I think your fix might introduce a new security hole in this rare case:

An attacker in a safe environment causes the first SystemStackError of 
your application to happen and rescues it into a variable. He then does 
this:

   def error.inspect
     puts "Gotcha!"
   end

Later in your application code outside of the safe environment another 
SystemStackError occurs (the attacker can't cause this which means that 
this whole condition is quite rare) and the malicious inspect-method of 
the SystemStackError is called.

I think that this can be fixed by also freezing the globally stored 
system stack error:

--- old/ruby/eval.c   Fri Oct 31 21:24:47 2003
+++ new/ruby/eval.c   Fri Oct 31 21:29:15 2003
@@ -7736,6 +7736,7 @@ Init_Proc()
      rb_eSysStackError = rb_define_class("SystemStackError", 
rb_eStandardError);
      sysstack_error = rb_exc_new2(rb_eSysStackError, "stack level too 
deep");
      OBJ_TAINT(sysstack_error);
+    OBJ_FREEZE(sysstack_error);
      rb_global_variable(&sysstack_error);

      rb_cProc = rb_define_class("Proc", rb_cObject);


Regards,
Florian Gross