[#JRUBY-1295] Invalid instance/class variable and constant names may be set

JRuby

Invalid instance/class variable and constant names may be set

Created: 28/Aug/07 03:45 AM Updated: 22/Dec/07 06:28 AM

Component/s:

Core Classes/Modules

Affects Version/s:

None

Fix Version/s:

JRuby 1.1+, JRuby 1.1b1, JRuby 1.0.2

Time Tracking:

Not Specified

Description

« Hide

The IdUtil.isXXX methods do not sufficiently validate names passed to const_set, instance_variable_set and class_variable_set. (Likewise for the get methods, but that's less problematic.) So, for example, the following are currently accepted:

mod.const_set 'A nice, long phrase!', 86
obj.instance_variable_set '@1 * @2 / @3 =', 4
clazz.send :class_variable_set, '@@@@@@@@', 99

I've got a fix in the works, part of other ivar/cvar/constant work.

All

Comments

Work Log

Change History

Sort Order:

Ascending order - Click to sort in descending order

[ Permlink | « Hide ]

Thomas E Enebo - 28/Aug/07 10:04 AM

Don't fix getVarType as part of this. It is used by the parser/lexer code and does not need extra sanity checks (lexer already does it). I can either move that function into that area or you can comment why it does not have extra checks on it.

[ Permlink | « Hide ]

Bill Dortch - 28/Aug/07 02:36 PM

Re: ...getVarType ... does not need extra sanity checks ..

I figured as much, created separate isValidXXX methods...

[ Permlink | « Hide ]

Bill Dortch - 28/Aug/07 07:56 PM

Fixed on trunk in 4217. Leaving open pending unit tests and replication to 1_0.

[ Permlink | « Hide ]

Charles Oliver Nutter - 30/Sep/07 09:55 AM

Over a month old now; if this is going to be backported to 1.0, do it soon, or we're going to close it as a 1.1-only fix.

[ Permlink | « Hide ]

Bill Dortch - 04/Oct/07 02:22 AM

Fixed for 1_0 branch in 4478, 4479. Unit tests added to trunk in 4480.