/rails

3.0.9 problem with $1, $2, etc. match vars not being set for safe text #1734

Closed
jstraitiff-wk opened this Issue Jun 16, 2011 · 6 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@jstraitiff-wk @pplr @dmathieu @tardate @pixeltrix
@jstraitiff-wk

jstraitiff-wk commented Jun 16, 2011

There seems to be a problem with regex $ variables and safe text:

ruby-1.9.2-p136 :057 > def linkify_it(txt)
ruby-1.9.2-p136 :058?>   safe_text = ERB::Util::h(txt)
ruby-1.9.2-p136 :059?>   safe_text.gsub(/(^|\s)(https?:\/\/([^\s\/]*)\S*)(\s|$)/i) {|m| puts "safe txt: match '#{m}', $1 '#{$1}', $2 '#{$2}', $3 '#{$3}', $4 '#{$4}'"}
ruby-1.9.2-p136 :060?>   txt.gsub(/(^|\s)(https?:\/\/([^\s\/]*)\S*)(\s|$)/i) {|m| puts "unsafe txt: match '#{m}', $1 '#{$1}', $2 '#{$2}', $3 '#{$3}', $4 '#{$4}'"}
ruby-1.9.2-p136 :061?>   end
 => nil 
ruby-1.9.2-p136 :062 > linkify_it(a)
safe txt: match ' hTTp://google.com ', $1 '', $2 '', $3 '', $4 ''
unsafe txt: match ' hTTp://google.com ', $1 ' ', $2 'hTTp://google.com', $3 'google.com', $4 ' '
 => "try thisit is fun" 
ruby-1.9.2-p136 :063 > a
 => "try this hTTp://google.com it is fun" 
ruby-1.9.2-p136 :064 > linkify_it("try this hTTp://google.com it is fun")
safe txt: match ' hTTp://google.com ', $1 '', $2 '', $3 '', $4 ''
unsafe txt: match ' hTTp://google.com ', $1 ' ', $2 'hTTp://google.com', $3   'google.com', $4 ' '
 => "try thisit is fun"

So for html_escaped strings, the $ variables are not being set. The used to, i.e. the above code worked fine in 3.0.6

Here’s a gist of the problem:

https://gist.github.com/1030065
git://gist.github.com/1030065.git
@pplr

This comment has been minimized.

Show comment Hide comment
@pplr

pplr Jun 17, 2011

Rails 3.1.0.rc4 is also affected by this problem.
Here is a simple test case:

test "gsub" do
  assert_equal("3", "--3--".html_safe.gsub(/--(\d+)--/){$1})
end

pplr commented Jun 17, 2011

Rails 3.1.0.rc4 is also affected by this problem.
Here is a simple test case:

test "gsub" do
  assert_equal("3", "--3--".html_safe.gsub(/--(\d+)--/){$1})
end
@dmathieu

This comment has been minimized.

Show comment Hide comment
@dmathieu

dmathieu Jun 17, 2011

Contributor

The problem is $* variables are scoped to the enclosing method.
There's a discussion about this here : http://www.ruby-forum.com/topic/198458

Unfortunately, I'm afraid there's not much that can be done about it.

Contributor

dmathieu commented Jun 17, 2011

The problem is $* variables are scoped to the enclosing method.
There's a discussion about this here : http://www.ruby-forum.com/topic/198458

Unfortunately, I'm afraid there's not much that can be done about it.
@jstraitiff-wk

This comment has been minimized.

Show comment Hide comment
@jstraitiff-wk

jstraitiff-wk Jun 17, 2011

Well, from my perspective, it worked in 3.0.6 and now doesn't in 3.0.9. It works with non-safe strings as I showed above. So it's the rails extensions breaking basic gsub() functionality that is very useful and used.....

So saying "there's not much that can be done" doesn't sit well...

jstraitiff-wk commented Jun 17, 2011

Well, from my perspective, it worked in 3.0.6 and now doesn't in 3.0.9. It works with non-safe strings as I showed above. So it's the rails extensions breaking basic gsub() functionality that is very useful and used.....

So saying "there's not much that can be done" doesn't sit well...
@dmathieu

This comment has been minimized.

Show comment Hide comment
@dmathieu

dmathieu Jun 17, 2011

Contributor

It's been changed between 3.0.7 and 3.0.8 because of a security issue.
http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

html_safe objects are SafeBuffer objects.
This object overrides some unsafe methods, transforming them to strings as they transform the object and therefore, it becomes unsafe.

As gsub transforms the object, it has to be overriden.
Basically, the way of doing your gsub would be to work on unsafe strings. You can get one with to_str

string = "string".html_safe #=> Returns a SafeBuffer object
string.to_str #=> Returns a new string
Contributor

dmathieu commented Jun 17, 2011

It's been changed between 3.0.7 and 3.0.8 because of a security issue.
http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

html_safe objects are SafeBuffer objects.
This object overrides some unsafe methods, transforming them to strings as they transform the object and therefore, it becomes unsafe.

As gsub transforms the object, it has to be overriden.
Basically, the way of doing your gsub would be to work on unsafe strings. You can get one with to_str

string = "string".html_safe #=> Returns a SafeBuffer object
string.to_str #=> Returns a new string
@tardate

This comment has been minimized.

Show comment Hide comment
@tardate

tardate Jun 19, 2011

Contributor

NB: just cross-referencing, same issue as #1555
@dmathieu thanks for linking http://www.ruby-forum.com/topic/198458 - best explanation/discussion I've seen of why the magic matching variables break when you attempt to intercept gsub.

Contributor

tardate commented Jun 19, 2011

NB: just cross-referencing, same issue as #1555
@dmathieu thanks for linking http://www.ruby-forum.com/topic/198458 - best explanation/discussion I've seen of why the magic matching variables break when you attempt to intercept gsub.
@pixeltrix

This comment has been minimized.

Show comment Hide comment
@pixeltrix

pixeltrix Jun 19, 2011

Owner

Closing as a duplicate of #1555

Owner

pixeltrix commented Jun 19, 2011

Closing as a duplicate of #1555

@pixeltrix pixeltrix closed this Jun 19, 2011

jake3030 pushed a commit to jake3030/rails that referenced this issue Jun 28, 2011

@chrisk @lifo
Fix spelling of an internal method [#1734 state:resolved] 
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
3c64c9a

azul added a commit to riseuplabs/crabgrass-core that referenced this issue Dec 9, 2014

@azul
html_safe strings to not work in gsub 
rails/rails#1734
8ca1448
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment