Hi! I'm seeing something seemingly incorrect in a CGI script wherein an object is untainted, then a new object is created via string interpolation using the untainted object, and the new object becomes tainted. I've whittled the code down to a pretty simple script... I wasn't able to reproduce it without actually using the CGI module though... Here's what I have: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ cat taint.rb $SAFE = 1 require 'cgi' alias log puts cgi = CGI.new("html4Tr") # cgi.out { view = cgi['view'] log("1 view=#{view}") log("2 view tainted? #{view.tainted?}") view.untaint # if view =~ /\A\w*\z/ log("3 view tainted? #{view.tainted?}") filename = "demo/#{view}" #### ****** filename can become tainted! log("4 filename tainted? #{filename.tainted?}") filename.untaint unless view.tainted? log("5 filename tainted? #{filename.tainted?}") # } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The output is: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ ruby -v ruby 1.8.1 (2003-12-25) [i686-linux] $ ruby taint.rb (offline mode: enter name=value pairs on standard input) view=spang 1 view=spang 2 view tainted? false 3 view tainted? false 4 filename tainted? true 5 filename tainted? false ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [I don't know if I'm doing something stupid... In the actual real CGI script, (as opposed to the "offline mode" whittled down one) I'm used to output line #2 being "true" as well. I'm not sure why line #2 is false here... so I'm worried I'm overlooking something silly..] In any case, it's line #4 that is causing me trouble. In both this test script and in the real CGI script, my log shows I've successfully untainted the object (referenced by the 'view' variable) prior to using it in the string interpolation: filename = "demo/#{view}" ..and yet 'filename' is coming out tainted. That's not correct behavior is it? Or am I missing something? Thanks! Regards, Bill