Florian Gross
10/31/2003 8:42:00 PM
Yukihiro Matsumoto wrote:
> Hi,
Moin!
> Thank you for the report. I will fix this soon, but the
> SystemStackError object will remain reused.
First of all: Thanks for fixing this so fast! :)
I think your fix might introduce a new security hole in this rare case:
An attacker in a safe environment causes the first SystemStackError of
your application to happen and rescues it into a variable. He then does
this:
def error.inspect
puts "Gotcha!"
end
Later in your application code outside of the safe environment another
SystemStackError occurs (the attacker can't cause this which means that
this whole condition is quite rare) and the malicious inspect-method of
the SystemStackError is called.
I think that this can be fixed by also freezing the globally stored
system stack error:
--- old/ruby/eval.c Fri Oct 31 21:24:47 2003
+++ new/ruby/eval.c Fri Oct 31 21:29:15 2003
@@ -7736,6 +7736,7 @@ Init_Proc()
rb_eSysStackError = rb_define_class("SystemStackError",
rb_eStandardError);
sysstack_error = rb_exc_new2(rb_eSysStackError, "stack level too
deep");
OBJ_TAINT(sysstack_error);
+ OBJ_FREEZE(sysstack_error);
rb_global_variable(&sysstack_error);
rb_cProc = rb_define_class("Proc", rb_cObject);
Regards,
Florian Gross