Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The taint mechanism will be deprecated in Ruby 2.7 #108

Closed
wants to merge 1 commit into from

Conversation

@kamipo
Copy link
Contributor

kamipo commented Nov 21, 2019

The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7
and will remove that in Ruby 3.

https://bugs.ruby-lang.org/issues/16131
ruby/ruby#2476

In Ruby 2.7, Object#{taint,untaint,trust,untrust} and related
functions in the C-API no longer have an effect (all objects are always
considered untainted), and are now warned deprecation message.

https://buildkite.com/rails/rails/builds/65069#dddcc2a1-a23c-4bc2-9eaf-351295244d1f/991-993

The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7
and will remove that in Ruby 3.

https://bugs.ruby-lang.org/issues/16131
ruby/ruby#2476

In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related
functions in the C-API no longer have an effect (all objects are always
considered untainted), and are now warned deprecation message.

https://buildkite.com/rails/rails/builds/65069#dddcc2a1-a23c-4bc2-9eaf-351295244d1f/991-993
@philr

This comment has been minimized.

Copy link
Member

philr commented Nov 21, 2019

TZInfo currently supports running in safe mode with Ruby < 2.7. With this pull request applied, this scenario no longer works:

$ ruby -v
ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-linux]
$ bundle exec ruby -Itest/tzinfo-data2 \
   -e 'require "tzinfo"; require "tzinfo/data"; $SAFE=1; puts TZInfo::Timezone.get("Europe/London")'
Traceback (most recent call last):
        11: from -e:1:in `<main>'
        10: from /home/philr/tzinfo/tzinfo/lib/tzinfo/timezone.rb:128:in `get'
         9: from /home/philr/tzinfo/tzinfo/lib/tzinfo/timezone.rb:235:in `data_source'
         8: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:54:in `get'
         7: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:54:in `synchronize'
         6: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:55:in `block in get'
         5: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:154:in `create_default_data_source'
         4: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:154:in `new'
         3: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:57:in `initialize'
         2: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:122:in `require_index'
         1: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require_data'
/home/philr/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require': Insecure operation - require (SecurityError)

I'd prefer to maintain support for safe mode for the time being, but avoid the warnings when running on Ruby 2.7. I'd probably look to conditionally define a helper 'untaint' method and use that in place of calls to Object#untaint:

if RUBY_VERSION >= '2.7'
  def untaint(obj)
    obj
  end
else
  def untaint(obj)
    obj.untaint
  end
end

Rather than testing the RUBY_VERSION, it'd probably better to find a way to check if Object#untaint is either non-existent or a no-op.

kamipo added a commit to kamipo/tzinfo that referenced this pull request Nov 24, 2019
The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7
and will remove that in Ruby 3.

https://bugs.ruby-lang.org/issues/16131
ruby/ruby#2476

This is an alternative of tzinfo#108.
@kamipo

This comment has been minimized.

Copy link
Contributor Author

kamipo commented Nov 24, 2019

Closing this in favor of #109.

@kamipo kamipo closed this Nov 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.