1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

security.rdoc: update about Symbol GC [ci skip]

Browse Source 
* doc/security.rdoc (Symbols): update about Symbol GC.  Symbols
  explicitly converted from Strings now can be collected, but
  reflection/metaprogramming still can cause memory flooding.
  [Fix GH-725]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49468 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
nobu 2015-02-02 01:51:37 +00:00
parent 5146f5abe9
commit 92c1538d48
2 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,3 +1,10 @@
Mon Feb 2 10:51:34 2015 Ari Pollak <ajp@aripollak.com>
* doc/security.rdoc (Symbols): update about Symbol GC. Symbols
explicitly converted from Strings now can be collected, but
reflection/metaprogramming still can cause memory flooding.
[Fix GH-725]
Sun Feb 1 13:46:52 2015 Nobuyoshi Nakada <nobu@ruby-lang.org> Sun Feb 1 13:46:52 2015 Nobuyoshi Nakada <nobu@ruby-lang.org>
* tool/rbinstall.rb (bin-comm): drop batch file installation. * tool/rbinstall.rb (bin-comm): drop batch file installation.

20
doc/security.rdoc
View File

@ -66,20 +66,16 @@ method, variable and constant names. The reason for this is that symbols are
simply integers with names attached to them, so they are faster to look up in simply integers with names attached to them, so they are faster to look up in
hashtables. hashtables.
Once a symbol is created, the memory used by it is never freed. If you convert
user input to symbols with +to_sym+ or +intern+, it is possible for an attacker
to mount a denial of service attack against your application by flooding it
with unique strings. Because each string is kept in memory until the Ruby
process exits, this will cause memory consumption to grow and grow until Ruby
runs out of memory and crashes.
Be careful with passing user input to methods such as +send+, Be careful with passing user input to methods such as +send+,
+instance_variable_get+ or +_set+, +const_get+ or +_set+, etc. as these methods +instance_variable_get+ or +_set+, +const_get+ or +_set+, etc.
will convert string parameters to symbols internally and pose the same DoS as these methods will convert string parameters to immortal symbols internally.
potential as direct conversion through +to_sym+/+intern+. This means that the memory used by the symbols are never freed. This could
allow a user to mount a denial of service attack against your application by
flooding it with unique strings, which will cause memory to grow indefinitely
until the Ruby process is killed or causes the system to slow to a halt.
The workaround to this is simple - don't convert user input to symbols. You The workaround to this is simple - don't call reflection/metaprogramming
should attempt to leave user input in string form instead. methods with user input.
== Regular expressions == Regular expressions