| CARVIEW |
Select Language
HTTP/2 200
server: GitHub.com
content-type: text/html; charset=utf-8
last-modified: Wed, 16 Jul 2025 15:35:29 GMT
access-control-allow-origin: *
etag: W/"6877c6c1-1c2c"
expires: Wed, 16 Jul 2025 22:40:42 GMT
cache-control: max-age=600
content-encoding: gzip
x-proxy-cache: MISS
x-github-request-id: 485C:2AEA9F:2CFBB6:2D5175:68782811
accept-ranges: bytes
age: 0
date: Wed, 16 Jul 2025 22:30:42 GMT
via: 1.1 varnish
x-served-by: cache-bom4732-BOM
x-cache: MISS
x-cache-hits: 0
x-timer: S1752705042.235306,VS0,VE304
vary: Accept-Encoding
x-fastly-request-id: 56c25975a8ed5f1c8c3d8c0f0235337fa0711a61
content-length: 2615
Exception methods can bypass $SAFE
Exception methods can bypass $SAFE
Posted by Urabe Shyouhei on 18 Feb 2011
Exception#to_s method can be used to trick $SAFE check, which makes a untrusted codes to modify arbitrary strings.
Detailed description
In Ruby's $SAFE semantics, safe level of 4 is used to run a untrusted code (such as plugin). So in upper safe levels, some sort of operations are prohibited to prevent untrusted codes from attacking outer (trusted) data.
Exception#to_s was found to be problematic around it. The method can trick safe level mechanism and destructively modifies an untaitned string to be tainted. With this an attacker can modify arbitrary untainted strings like this:
$secret_path = "foo"
proc do
$SAFE = 4
Exception.new($secret_path).to_s
$secret_path.replace "/etc/passwd"
end.call
open($secret_path) do
...
end
Affected versions
Luckily this attack is ineffective for 1.9.x series of ruby. Affected versions are restricted to:
- Ruby 1.8.6 patchlevel 420 and all prior versions
- Ruby 1.8.7 patchlevel 330 and all prior versions
- Development versions of Ruby 1.8 (1.8.8dev)
Solutions
Please upgrade to a newer version.
Updates
- 1.8.7-334 was released to fix this issue. 1.8.7 users are encouraged to upgrade.