Warn on access/modify of $SAFE, and remove effects of modifying $SAFE#2476
Merged
jeremyevans merged 12 commits intoruby:masterfrom Nov 17, 2019
Merged
Warn on access/modify of $SAFE, and remove effects of modifying $SAFE#2476jeremyevans merged 12 commits intoruby:masterfrom
jeremyevans merged 12 commits intoruby:masterfrom
Conversation
c638894 to
0dc5083
Compare
c657f91 to
cb15223
Compare
eefb161 to
0d87cf4
Compare
This removes the security features added by $SAFE = 1, and warns for access or modification of $SAFE from Ruby-level, as well as warning when calling all public C functions related to $SAFE. This modifies some internal functions that took a safe level argument to no longer take the argument. rb_require_safe now warns, rb_require_string has been added as a version that takes a VALUE and does not warn. One public C function that still takes a safe level argument and that this doesn't warn for is rb_eval_cmd. We may want to consider adding an alternative method that does not take a safe level argument, and warn for rb_eval_cmd.
This removes the related tests, and puts the related specs behind version guards. This affects all code in lib, including some libraries that may want to support older versions of Ruby.
Ruby 2.7 deprecates taint and it no longer has an effect.
Ruby 2.7 deprecates taint and it no longer has an effect.
Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. Still untaint the tmpdir object on Ruby <2.7, as returning a tainted string there could cause problems.
Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions.
Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions.
Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions.
rb_eval_cmd takes a safe level, and now that $SAFE is deprecated, it should be deprecated as well. Replace with rb_eval_cmd_kw, which takes a keyword flag. Switch the two callers to this function.
0d87cf4 to
dd23014
Compare
kamipo
added a commit
to kamipo/sqlite3-ruby
that referenced
this pull request
Nov 21, 2019
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message. https://buildkite.com/rails/rails/builds/65054#5aa2db21-569d-4202-99cd-a8323cab583e/6-8
kamipo
added a commit
to kamipo/ruby-pg
that referenced
this pull request
Nov 21, 2019
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message. https://buildkite.com/rails/rails/builds/65054#14bdbd8c-d935-4b80-8842-c81266a1a34e/6-8
kamipo
added a commit
to kamipo/tzinfo
that referenced
this pull request
Nov 21, 2019
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message. https://buildkite.com/rails/rails/builds/65069#dddcc2a1-a23c-4bc2-9eaf-351295244d1f/991-993
kamipo
added a commit
to kamipo/mysql2
that referenced
this pull request
Nov 21, 2019
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message.
kamipo
added a commit
to kamipo/tzinfo
that referenced
this pull request
Nov 24, 2019
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 This is an alternative of tzinfo#108.
sodabrew
pushed a commit
to brianmario/mysql2
that referenced
this pull request
Dec 1, 2019
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message.
BrianHawley
added a commit
to BrianHawley/rbtree3
that referenced
this pull request
Jan 19, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message. The format of Proc inspect has changed too. Adjusted the affected test. [Fixes kyrylo#6]
BrianHawley
added a commit
to BrianHawley/rbtree3
that referenced
this pull request
Jan 19, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message. The format of Proc inspect has changed too. Adjusted the affected test. [Fixes kyrylo#6]
BrianHawley
added a commit
to BrianHawley/rbtree3
that referenced
this pull request
Jan 19, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message. The format of Proc inspect has changed too. Adjusted the affected test. [Fixes kyrylo#6]
BrianHawley
added a commit
to BrianHawley/rbtree3
that referenced
this pull request
Jan 20, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned with deprecation messages. The format of Proc inspect has changed too. Adjusted the affected test. [Fixes kyrylo#6]
snehaso
pushed a commit
to fac/mysql2
that referenced
this pull request
Jan 21, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message.
snehaso
pushed a commit
to fac/mysql2
that referenced
this pull request
Jan 21, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message.
snehaso
pushed a commit
to fac/mysql2
that referenced
this pull request
Jan 22, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message.
snehaso
pushed a commit
to fac/mysql2
that referenced
this pull request
Jan 22, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message.
rangeroob
pushed a commit
to rangeroob/sqlite3-ruby-static
that referenced
this pull request
Apr 12, 2020
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message. https://buildkite.com/rails/rails/builds/65054#5aa2db21-569d-4202-99cd-a8323cab583e/6-8 (cherry picked from commit 0894fba)
raj-sharan
added a commit
to raj-sharan/ruby-odbc
that referenced
this pull request
Jul 3, 2023
The taint mechanism was deprecated in Ruby 2.7 and removed in Ruby 3.0
https://bugs.ruby-lang.org/issues/16131
ruby/ruby#2476
From Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related
functions in the C-API no longer have an effect (all objects are always considered untainted), and are now removed.
raj-sharan
added a commit
to raj-sharan/ruby-odbc
that referenced
this pull request
Jul 3, 2023
The taint mechanism was deprecated in Ruby 2.7 and removed in Ruby 3.0 https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 From Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now removed. Changes taken from https://github.com/vhermecz/ruby-odbc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This removes the security features added by $SAFE = 1, and warns for access
or modification of $SAFE from Ruby-level, as well as warning when calling
all public C functions related to $SAFE.
This modifies some internal functions that took a safe level argument
to no longer take the argument.
rb_require_safe now warns, rb_require_string has been added as a
version that takes a VALUE and does not warn.
One public C function that still takes a safe level argument and that
this doesn't warn for is rb_eval_cmd. We may want to consider
adding an alternative method that does not take a safe level argument,
and warn for rb_eval_cmd.