Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

freeze String class

Signed-off-by: PJ Hyett <pjhyett@gmail.com>
  • Loading branch information...
commit ff79f9e3c82729914ae405d62bcabd529cac211c 1 parent cf407ff
@account-settings account-settings authored pjhyett committed
Showing with 7 additions and 3 deletions.
  1. +7 −3 security.rb
View
10 security.rb
@@ -13,9 +13,6 @@
end
Kernel.freeze
-# disable ObjectSpace
-Object.send :remove_const, :ObjectSpace
-
# make sure all string methods which modify self also taint the string
class String
%w(swapcase! strip! squeeze! reverse! downcase! upcase! delete! slice! replace []= <<).each do |method_name|
@@ -49,6 +46,7 @@ def #{method_name} *a, &b
end
+
# Bug in ruby doesn't check taint when an array of globs is passed
class << Dir
# we need to track $SAFE level manually because define_method captures the $SAFE level
@@ -72,8 +70,14 @@ def set_safe_level
end
end
+# freeze String so that the taint method can't be redefined
+String.freeze
+
# freeze Dir so that no one can modify the @@safe_level
Dir.freeze
# freeze method classes so someone cant modify them to catch the original methods
[Method, UnboundMethod].each {|klass| klass.freeze }
+
+# disable ObjectSpace so people cant access the original method objects
+Object.send :remove_const, :ObjectSpace
Please sign in to comment.
Something went wrong with that request. Please try again.