kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

security.rdoc: update about Symbol GC [ci skip]

Browse source 
* doc/security.rdoc (Symbols): update about Symbol GC.  Symbols
  explicitly converted from Strings now can be collected, but
  reflection/metaprogramming still can cause memory flooding.
  [Fix GH-725]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49468 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
nobu 2015-02-02 01:51:37 +00:00
parent 5146f5abe9
commit 92c1538d48
2 changed files with 15 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
ChangeLog
View file

@ -1,3 +1,10 @@
Mon Feb 2 10:51:34 2015 Ari Pollak <ajp@aripollak.com>
* doc/security.rdoc (Symbols): update about Symbol GC. Symbols
explicitly converted from Strings now can be collected, but
reflection/metaprogramming still can cause memory flooding.
[Fix GH-725]
Sun Feb 1 13:46:52 2015 Nobuyoshi Nakada <nobu@ruby-lang.org>
* tool/rbinstall.rb (bin-comm): drop batch file installation.

20
doc/security.rdoc
View file

@ -66,20 +66,16 @@ method, variable and constant names. The reason for this is that symbols are
simply integers with names attached to them, so they are faster to look up in
hashtables.
Once a symbol is created, the memory used by it is never freed. If you convert
user input to symbols with +to_sym+ or +intern+, it is possible for an attacker
to mount a denial of service attack against your application by flooding it
with unique strings. Because each string is kept in memory until the Ruby
process exits, this will cause memory consumption to grow and grow until Ruby
runs out of memory and crashes.
Be careful with passing user input to methods such as +send+,
+instance_variable_get+ or +_set+, +const_get+ or +_set+, etc. as these methods
will convert string parameters to symbols internally and pose the same DoS
potential as direct conversion through +to_sym+/+intern+.
+instance_variable_get+ or +_set+, +const_get+ or +_set+, etc.
as these methods will convert string parameters to immortal symbols internally.
This means that the memory used by the symbols are never freed. This could
allow a user to mount a denial of service attack against your application by
flooding it with unique strings, which will cause memory to grow indefinitely
until the Ruby process is killed or causes the system to slow to a halt.
The workaround to this is simple - don't convert user input to symbols. You
should attempt to leave user input in string form instead.
The workaround to this is simple - don't call reflection/metaprogramming
methods with user input.
== Regular expressions