summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--doc/security.rdoc22
2 files changed, 16 insertions, 13 deletions
diff --git a/ChangeLog b/ChangeLog
index b427b69997..9d2f5082af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Mon Feb 2 10:51:34 2015 Ari Pollak <ajp@aripollak.com>
+
+ * doc/security.rdoc (Symbols): update about Symbol GC. Symbols
+ explicitly converted from Strings now can be collected, but
+ reflection/metaprogramming still can cause memory flooding.
+ [Fix GH-725]
+
Sun Feb 1 13:46:52 2015 Nobuyoshi Nakada <nobu@ruby-lang.org>
* tool/rbinstall.rb (bin-comm): drop batch file installation.
diff --git a/doc/security.rdoc b/doc/security.rdoc
index d8efca0042..ff2da46074 100644
--- a/doc/security.rdoc
+++ b/doc/security.rdoc
@@ -66,20 +66,16 @@ method, variable and constant names. The reason for this is that symbols are
simply integers with names attached to them, so they are faster to look up in
hashtables.
-Once a symbol is created, the memory used by it is never freed. If you convert
-user input to symbols with +to_sym+ or +intern+, it is possible for an attacker
-to mount a denial of service attack against your application by flooding it
-with unique strings. Because each string is kept in memory until the Ruby
-process exits, this will cause memory consumption to grow and grow until Ruby
-runs out of memory and crashes.
-
Be careful with passing user input to methods such as +send+,
-+instance_variable_get+ or +_set+, +const_get+ or +_set+, etc. as these methods
-will convert string parameters to symbols internally and pose the same DoS
-potential as direct conversion through +to_sym+/+intern+.
-
-The workaround to this is simple - don't convert user input to symbols. You
-should attempt to leave user input in string form instead.
++instance_variable_get+ or +_set+, +const_get+ or +_set+, etc.
+as these methods will convert string parameters to immortal symbols internally.
+This means that the memory used by the symbols are never freed. This could
+allow a user to mount a denial of service attack against your application by
+flooding it with unique strings, which will cause memory to grow indefinitely
+until the Ruby process is killed or causes the system to slow to a halt.
+
+The workaround to this is simple - don't call reflection/metaprogramming
+methods with user input.
== Regular expressions