ruby-changes:37433
From: marcandre <ko1@a...>
Date: Fri, 6 Feb 2015 05:06:31 +0900 (JST)
Subject: [ruby-changes:37433] marcandRe: r49514 (trunk): * doc/security.rdoc: [DOC] ammend symbols section for bug with
marcandre 2015-02-06 05:06:11 +0900 (Fri, 06 Feb 2015) New Revision: 49514 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=49514 Log: * doc/security.rdoc: [DOC] ammend symbols section for bug with keyword args [ci-skip] Modified files: trunk/doc/security.rdoc Index: doc/security.rdoc =================================================================== --- doc/security.rdoc (revision 49513) +++ doc/security.rdoc (revision 49514) @@ -75,9 +75,10 @@ They are created when modifying code: https://github.com/ruby/ruby/blob/trunk/doc/security.rdoc#L75 * defining a method (e.g. with +define_method+), * setting an instance variable (e.g. with +instance_variable_set+), * creating a variable or constant (e.g. with +const_set+) -Because of a bug, +send+ and +__send__+ also create immortal symbols. -Finally, C extensions that have not been updated and are still calling `ID2SYM` +C extensions that have not been updated and are still calling `ID2SYM` will create immortal symbols. +Bugs in 2.2.0: +send+ and +__send__+ also created immortal symbols, +and calling methods with keyword arguments could also create some. Don't create immortal symbols from user inputs. Otherwise, this would allow a user to mount a denial of service attack against your application by -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/