ruby-changes:37417
From: marcandre <ko1@a...>
Date: Thu, 5 Feb 2015 01:41:42 +0900 (JST)
Subject: [ruby-changes:37417] marcandRe: r49498 (trunk): * doc/security.rdoc: [DOC] ammend symbols section for bug with send [ci-skip]
marcandre 2015-02-05 01:41:38 +0900 (Thu, 05 Feb 2015) New Revision: 49498 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=49498 Log: * doc/security.rdoc: [DOC] ammend symbols section for bug with send [ci-skip] Modified files: trunk/doc/security.rdoc Index: doc/security.rdoc =================================================================== --- doc/security.rdoc (revision 49497) +++ doc/security.rdoc (revision 49498) @@ -75,7 +75,8 @@ They are created when modifying code: https://github.com/ruby/ruby/blob/trunk/doc/security.rdoc#L75 * defining a method (e.g. with +define_method+), * setting an instance variable (e.g. with +instance_variable_set+), * creating a variable or constant (e.g. with +const_set+) -Also, C extensions that have not been updated and are still calling `ID2SYM` +Because of a bug, +send+ and +__send__+ also create immortal symbols. +Finally, C extensions that have not been updated and are still calling `ID2SYM` will create immortal symbols. Don't create immortal symbols from user inputs. Otherwise, this would @@ -84,7 +85,7 @@ flooding it with unique strings, which w https://github.com/ruby/ruby/blob/trunk/doc/security.rdoc#L85 until the Ruby process is killed or causes the system to slow to a halt. While it might not be a good idea to call these with user inputs, methods that -used to be vulnerable such as +to_sym+, +send+, +respond_to?+, +used to be vulnerable such as +to_sym+, +respond_to?+, +method+, +instance_variable_get+, +const_get+, etc. are no longer a threat. == Regular expressions -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/