This repository has been archived by the owner. It is now read-only.
Browse files

freeze String class

Signed-off-by: PJ Hyett <>
  • Loading branch information...
1 parent cf407ff commit ff79f9e3c82729914ae405d62bcabd529cac211c steve committed with pjhyett Nov 5, 2008
Showing with 7 additions and 3 deletions.
  1. +7 −3 security.rb
@@ -13,9 +13,6 @@
-# disable ObjectSpace
-Object.send :remove_const, :ObjectSpace
# make sure all string methods which modify self also taint the string
class String
%w(swapcase! strip! squeeze! reverse! downcase! upcase! delete! slice! replace []= <<).each do |method_name|
@@ -49,6 +46,7 @@ def #{method_name} *a, &b
# Bug in ruby doesn't check taint when an array of globs is passed
class << Dir
# we need to track $SAFE level manually because define_method captures the $SAFE level
@@ -72,8 +70,14 @@ def set_safe_level
+# freeze String so that the taint method can't be redefined
# freeze Dir so that no one can modify the @@safe_level
# freeze method classes so someone cant modify them to catch the original methods
[Method, UnboundMethod].each {|klass| klass.freeze }
+# disable ObjectSpace so people cant access the original method objects
+Object.send :remove_const, :ObjectSpace

0 comments on commit ff79f9e

Please sign in to comment.