History | Log In     View a printable version of the current page.  
Issue Details (XML | Word | Printable)

Key: JRUBY-1295
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Bill Dortch
Reporter: Bill Dortch
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
JRuby

Invalid instance/class variable and constant names may be set

Created: 28/Aug/07 03:45 AM   Updated: 22/Dec/07 06:28 AM
Component/s: Core Classes/Modules
Affects Version/s: None
Fix Version/s: JRuby 1.1+, JRuby 1.1b1, JRuby 1.0.2

Time Tracking:
Not Specified


 Description  « Hide
The IdUtil.isXXX methods do not sufficiently validate names passed to const_set, instance_variable_set and class_variable_set. (Likewise for the get methods, but that's less problematic.) So, for example, the following are currently accepted:
mod.const_set 'A nice, long phrase!', 86
obj.instance_variable_set '@1 * @2 / @3 =', 4
clazz.send :class_variable_set, '@@@@@@@@', 99

I've got a fix in the works, part of other ivar/cvar/constant work.



 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
Thomas E Enebo - 28/Aug/07 10:04 AM
Don't fix getVarType as part of this. It is used by the parser/lexer code and does not need extra sanity checks (lexer already does it). I can either move that function into that area or you can comment why it does not have extra checks on it.

Bill Dortch - 28/Aug/07 02:36 PM
Re: ...getVarType ... does not need extra sanity checks ..

I figured as much, created separate isValidXXX methods...


Bill Dortch - 28/Aug/07 07:56 PM
Fixed on trunk in 4217. Leaving open pending unit tests and replication to 1_0.

Charles Oliver Nutter - 30/Sep/07 09:55 AM
Over a month old now; if this is going to be backported to 1.0, do it soon, or we're going to close it as a 1.1-only fix.

Bill Dortch - 04/Oct/07 02:22 AM
Fixed for 1_0 branch in 4478, 4479. Unit tests added to trunk in 4480.