ruby-changes:37387
From: nobu <ko1@a...>
Date: Mon, 2 Feb 2015 10:51:57 +0900 (JST)
Subject: [ruby-changes:37387] nobu:r49468 (trunk): security.rdoc: update about Symbol GC [ci skip]
nobu 2015-02-02 10:51:37 +0900 (Mon, 02 Feb 2015) New Revision: 49468 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=49468 Log: security.rdoc: update about Symbol GC [ci skip] * doc/security.rdoc (Symbols): update about Symbol GC. Symbols explicitly converted from Strings now can be collected, but reflection/metaprogramming still can cause memory flooding. [Fix GH-725] Modified files: trunk/ChangeLog trunk/doc/security.rdoc Index: doc/security.rdoc =================================================================== --- doc/security.rdoc (revision 49467) +++ doc/security.rdoc (revision 49468) @@ -66,20 +66,16 @@ method, variable and constant names. The https://github.com/ruby/ruby/blob/trunk/doc/security.rdoc#L66 simply integers with names attached to them, so they are faster to look up in hashtables. -Once a symbol is created, the memory used by it is never freed. If you convert -user input to symbols with +to_sym+ or +intern+, it is possible for an attacker -to mount a denial of service attack against your application by flooding it -with unique strings. Because each string is kept in memory until the Ruby -process exits, this will cause memory consumption to grow and grow until Ruby -runs out of memory and crashes. - Be careful with passing user input to methods such as +send+, -+instance_variable_get+ or +_set+, +const_get+ or +_set+, etc. as these methods -will convert string parameters to symbols internally and pose the same DoS -potential as direct conversion through +to_sym+/+intern+. ++instance_variable_get+ or +_set+, +const_get+ or +_set+, etc. +as these methods will convert string parameters to immortal symbols internally. +This means that the memory used by the symbols are never freed. This could +allow a user to mount a denial of service attack against your application by +flooding it with unique strings, which will cause memory to grow indefinitely +until the Ruby process is killed or causes the system to slow to a halt. -The workaround to this is simple - don't convert user input to symbols. You -should attempt to leave user input in string form instead. +The workaround to this is simple - don't call reflection/metaprogramming +methods with user input. == Regular expressions Index: ChangeLog =================================================================== --- ChangeLog (revision 49467) +++ ChangeLog (revision 49468) @@ -1,3 +1,10 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Mon Feb 2 10:51:34 2015 Ari Pollak <ajp@a...> + + * doc/security.rdoc (Symbols): update about Symbol GC. Symbols + explicitly converted from Strings now can be collected, but + reflection/metaprogramming still can cause memory flooding. + [Fix GH-725] + Sun Feb 1 13:46:52 2015 Nobuyoshi Nakada <nobu@r...> * tool/rbinstall.rb (bin-comm): drop batch file installation. -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/