On Sat, Mar 06, 2004 at 01:54:43AM +0900, Simon Strandgaard wrote:
> Should taint information be propagated around?
> Shouldn't it also be propagated through eval?
I believe you shouldn't eval tainted code in the first place - IMHO,
tainting the result of the eval won't gain you anything, since the very
thing taint can protect you from has already happened - you evaled untrusted
code.

> value = 222
> code = "value * 3"
> code.taint
> p code.tainted?
> result = eval code
> p result.tainted?  
> 
> server> ruby a.rb 
> true
> false

Hm - it's hard to explain in this example, since there is no reason to use
eval here...

But take this one (assume custom_expression is submitted from a web-browser)

p custom_expression.tainted?	#Gives: true
code = "(" + custom_expression + ") * 3"
p code.tainted? #Gives: true
result = eval code
p result.tainted? #Gives: false

Now assume the user submits "nil) ; system("killall apache") ; (0" as
custom_expression. When you reach the last line of my example, the exploit
is already done, and you probably don't care if the result of the exploit is
tainted or not.

Or, let's say the hacker is more experienced in ruby. He submits
"nil); class Object ; def tainted? ; false ; end ; end ; (10" as
custom_expression. Now it doesn't even matter if eval propagates the tainted
status of the code or not - after the eval, nothing will appear to be
tainted any more.

Conclusion is, that having a tainted-status propagating eval() might seem a
nice feature at first, but gives you a false sense of security at last.

greetings, Florian Pflug