From c5c05460ac20abcbc0ed686eb4acf06da7a39a79 Mon Sep 17 00:00:00 2001 From: Jeremy Evans Date: Fri, 20 Sep 2019 19:06:22 -0700 Subject: Warn on access/modify of $SAFE, and remove effects of modifying $SAFE This removes the security features added by $SAFE = 1, and warns for access or modification of $SAFE from Ruby-level, as well as warning when calling all public C functions related to $SAFE. This modifies some internal functions that took a safe level argument to no longer take the argument. rb_require_safe now warns, rb_require_string has been added as a version that takes a VALUE and does not warn. One public C function that still takes a safe level argument and that this doesn't warn for is rb_eval_cmd. We may want to consider adding an alternative method that does not take a safe level argument, and warn for rb_eval_cmd. --- safe.c | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) (limited to 'safe.c') diff --git a/safe.c b/safe.c index 9c668e3842..7f340ffae2 100644 --- a/safe.c +++ b/safe.c @@ -28,18 +28,21 @@ int ruby_safe_level_2_warning(void) { + rb_warn("rb_safe_level_2_warning will be removed in Ruby 3.0"); return 2; } int rb_safe_level(void) { + rb_warn("rb_safe_level will be removed in Ruby 3.0"); return GET_VM()->safe_level_; } void rb_set_safe_level_force(int safe) { + rb_warn("rb_set_safe_level_force will be removed in Ruby 3.0"); GET_VM()->safe_level_ = safe; } @@ -48,6 +51,7 @@ rb_set_safe_level(int level) { rb_vm_t *vm = GET_VM(); + rb_warn("rb_set_safe_level will be removed in Ruby 3.0"); if (level > SAFE_LEVEL_MAX) { rb_raise(rb_eArgError, "$SAFE=2 to 4 are obsolete"); } @@ -68,28 +72,47 @@ rb_set_safe_level(int level) static VALUE safe_getter(ID _x, VALUE *_y) { - return INT2NUM(rb_safe_level()); + rb_warn("$SAFE will become a normal global variable in Ruby 3.0"); + return INT2NUM(GET_VM()->safe_level_); } static void safe_setter(VALUE val, ID _x, VALUE *_y) { int level = NUM2INT(val); - rb_set_safe_level(level); + rb_vm_t *vm = GET_VM(); + + rb_warn("$SAFE will become a normal global variable in Ruby 3.0"); + if (level > SAFE_LEVEL_MAX) { + rb_raise(rb_eArgError, "$SAFE=2 to 4 are obsolete"); + } + else if (level < 0) { + rb_raise(rb_eArgError, "$SAFE should be >= 0"); + } + else { + int line; + const char *path = rb_source_location_cstr(&line); + + if (0) fprintf(stderr, "%s:%d $SAFE %d -> %d\n", + path ? path : "-", line, vm->safe_level_, level); + + vm->safe_level_ = level; + } } void rb_secure(int level) { - if (level <= rb_safe_level()) { + rb_warn("rb_secure will be removed in Ruby 3.0"); + if (level <= GET_VM()->safe_level_) { ID caller_name = rb_frame_callee(); if (caller_name) { rb_raise(rb_eSecurityError, "Insecure operation `%"PRIsVALUE"' at level %d", - rb_id2str(caller_name), rb_safe_level()); + rb_id2str(caller_name), GET_VM()->safe_level_); } else { rb_raise(rb_eSecurityError, "Insecure operation at level %d", - rb_safe_level()); + GET_VM()->safe_level_); } } } @@ -97,11 +120,13 @@ rb_secure(int level) void rb_secure_update(VALUE obj) { + rb_warn("rb_secure_update will be removed in Ruby 3.0"); } void rb_insecure_operation(void) { + rb_warn("rb_insecure_operation will be removed in Ruby 3.0"); ID caller_name = rb_frame_callee(); if (caller_name) { rb_raise(rb_eSecurityError, "Insecure operation - %"PRIsVALUE, @@ -115,6 +140,7 @@ rb_insecure_operation(void) void rb_check_safe_obj(VALUE x) { + rb_warn("rb_check_safe_obj will be removed in Ruby 3.0"); if (rb_safe_level() > 0 && OBJ_TAINTED(x)) { rb_insecure_operation(); } -- cgit v1.2.3