ruby-changes:37415
From: marcandre <ko1@a...>
Date: Thu, 5 Feb 2015 01:24:30 +0900 (JST)
Subject: [ruby-changes:37415] marcandRe: r49496 (trunk): * doc/security.rdoc: [DOC] update symbols section [ci-skip]
marcandre 2015-02-05 01:24:16 +0900 (Thu, 05 Feb 2015) New Revision: 49496 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=49496 Log: * doc/security.rdoc: [DOC] update symbols section [ci-skip] Modified files: trunk/doc/security.rdoc Index: doc/security.rdoc =================================================================== --- doc/security.rdoc (revision 49495) +++ doc/security.rdoc (revision 49496) @@ -66,16 +66,26 @@ method, variable and constant names. The https://github.com/ruby/ruby/blob/trunk/doc/security.rdoc#L66 simply integers with names attached to them, so they are faster to look up in hashtables. -Be careful with passing user input to methods such as +send+, -+instance_variable_get+ or +_set+, +const_get+ or +_set+, etc. -as these methods will convert string parameters to immortal symbols internally. -This means that the memory used by the symbols are never freed. This could +Starting in version 2.2, most symbols can be garbage collected; these are +called <i>mortal</i> symbols. Most symbols you create (e.g. by calling ++to_sym+) are mortal. + +<i>Immortal</i> symbols on the other hand will never be garbage collected. +They are created when modifying code: +* defining a method (e.g. with +define_method+), +* setting an instance variable (e.g. with +instance_variable_set+), +* creating a variable or constant (e.g. with +const_set+) +Also, C extensions that have not been updated and are still calling `ID2SYM` +will create immortal symbols. + +Don't create immortal symbols from user inputs. Otherwise, this would allow a user to mount a denial of service attack against your application by flooding it with unique strings, which will cause memory to grow indefinitely until the Ruby process is killed or causes the system to slow to a halt. -The workaround to this is simple - don't call reflection/metaprogramming -methods with user input. +While it might not be a good idea to call these with user inputs, methods that +used to be vulnerable such as +to_sym+, +send+, +respond_to?+, ++method+, +instance_variable_get+, +const_get+, etc. are no longer a threat. == Regular expressions -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/