I was reading about Ruby string methods in the docs and came accross the methods
我正在阅读文档中关于Ruby字符串方法的内容,并且涉及到各种方法
taint- 污点
trust- 相信
untaint- 解除污染
untrust- 不可信
I don't know what they do, which situation do we use them? Has anyone used any of them? Examples would be nice.
我不知道他们做了什么,我们使用它们的情况如何?有人用过它们吗?例子很好。
3 个解决方案
#1
52
taint and trust are part of Ruby's security model. In Ruby, each object has a few flags that it carries around with it, two of which are the Trusted flag and the Tainted flag. How these flags are acted on depends on something called the safe level. The safe level is stored in $SAFE.
污点和信任是Ruby安全模型的一部分。在Ruby中,每个对象都有一些随身携带的标志,其中两个是Trusted标志和Tainted标志。如何处理这些标志取决于所谓的安全级别。安全级别存储在$ SAFE中。
Each thread and fiber in a program can have it's own safe level. Safe levels range from 0 through 4, with 0 enforcing no security and 4 enforcing so much it should only be used when you're evaling code. You can't assign a lower value to $SAFE than it already has. Also, on UNIX systems where a Ruby script runs as setuid, Ruby automatically sets the safe level to 1.
程序中的每个线程和光纤都可以拥有自己的安全级别。安全级别范围从0到4,其中0强制执行无安全性和4强制执行,只应在您评估代码时使用。您不能为$ SAFE指定比现有值更低的值。此外,在Ruby脚本以setuid运行的UNIX系统上,Ruby会自动将安全级别设置为1。
Tainting
When a object has it's tainted flag set, that means, roughly, that the object came from an unreliable source and therefore can't be used in sensitive operations. When the safe level is 0, the taint flag is ignored (but still set, you can pay attention to it if you want). There are a few methods related to tainting:
当一个对象设置了污点标志时,粗略地意味着该对象来自不可靠的源,因此不能用于敏感操作。当安全级别为0时,忽略污染标记(但仍然设置,如果需要,可以注意它)。有一些与污染有关的方法:
-
taint-- Make an object tainted. You can taint an object on all levels with the exception of safe level 4. - 污点 - 使物体污染。您可以在所有级别上污染对象,但安全级别4除外。
-
tainted?-- Check if an object is tainted. - 污点? - 检查物体是否受到污染。
-
untaint-- Remove tainting from an object. This can only be used in safe levels 0, 1, and 2. - untaint - 去除物体上的污点。这只能用于安全级别0,1和2。
Here's an example from the pragprog pickaxe (source) that shows tainting:
以下是pragprog pickaxe(source)中显示污点的示例:
# internal data
# =============
x1 = "a string"
x1.tainted? → false
x2 = x1[2, 4]
x2.tainted? → false
x1 =~ /([a-z])/ → 0
$1.tainted? → false
# external data
# =============
y1 = ENV["HOME"]
y1.tainted? → true
y2 = y1[2, 4]
y2.tainted? → true
y1 =~ /([a-z])/ → 1
$1.tainted? → true
To summarize, you can't use dangerous methods on tainted data. So if you do this in safe level 3, you'd get an error:
总而言之,您不能对受污染的数据使用危险方法。因此,如果您在安全级别3执行此操作,则会收到错误消息:
eval(gets)
Trust
Trust is a lot simpler. Trust has to do with whether the object came from a trusted or untrusted source -- basically, whether it came from anything less than safe level 4, or safe level 4. I'm not sure exactly what effect Ruby's trust has, but take a look here: http://www.ruby-forum.com/topic/1887006 .
信任要简单得多。信任与对象是来自可靠还是不受信任的来源有关 - 基本上,它是来自低于安全等级4的任何东西,还是安全等级4.我不确定Ruby的信任到底有什么影响,但是看这里:http://www.ruby-forum.com/topic/1887006。
Here are some more resources: http://phrogz.net/ProgrammingRuby/taint.html -- Some great stuff on safe levels, but I think it's from 1.8 -- there is an updated version for 1.9, just only in the printed version of the book.
这里有一些更多的资源:http://phrogz.net/ProgrammingRuby/taint.html - 安全级别的一些很棒的东西,但我认为它来自1.8 - 有一个1.9的更新版本,只是在印刷版本这本书。
http://www.ruby-forum.com/topic/79295 -- On whether safe is safe enough.
http://www.ruby-forum.com/topic/79295 - 关于安全是否足够安全。
#2
4
taint and trust each set a flag that the object carries around with it everywhere. The only difference that I can tell (from ruby-doc.org) is that some method calls behave differently when given tainted objects whereas trust seems to be entirely up to the programmer to interpret.
污点和信任每一个都设置了一个标志,对象随身携带它。我可以告诉的唯一区别(来自ruby-doc.org)是一些方法调用在给出受污染的对象时表现不同,而信任似乎完全由程序员来解释。
The main purpose of tainting is to flag user input as potentially dangerous e.g. a dynamically loaded script or CGI form data. You then implement sanitizing methods that make sure objects are safe and untaint them before using them elsewhere in your code.
污点的主要目的是将用户输入标记为潜在危险,例如动态加载的脚本或CGI表单数据。然后,您可以实现清理方法,以确保对象是安全的并且在代码中的其他位置使用它们之前将它们取消。
See also "What's the purpose of tainting Ruby objects?".
另请参阅“污染Ruby对象的目的是什么?”。
#3
0
I found this link to me informative about tainted Data in ruby.
我发现这个链接向我提供有关红宝石中污染数据的信息。
http://ruby.about.com/od/advancedruby/a/tainted.htm
http://ruby.about.com/od/advancedruby/a/tainted.htm
"Tainted" objects are those that have come from some type of user input. Either from a file, the keyboard or the network, unless the object is a literal in the program or created by the program directly, it will be tainted. The tainted flag is always there on your objects, all you have to do is check it before you do anything unsafe. If you've confirmed that the data is indeed safe, you can then untaint the object.
“受污染的”对象是来自某种类型的用户输入的对象。无论是从文件,键盘还是网络,除非对象是程序中的文字或由程序直接创建,否则它将被污染。被污染的旗帜总是在你的物体上,所有你需要做的就是在你做任何不安全的事情之前检查它。如果您已确认数据确实是安全的,则可以取消标记该对象。
#1
52
taint and trust are part of Ruby's security model. In Ruby, each object has a few flags that it carries around with it, two of which are the Trusted flag and the Tainted flag. How these flags are acted on depends on something called the safe level. The safe level is stored in $SAFE.
污点和信任是Ruby安全模型的一部分。在Ruby中,每个对象都有一些随身携带的标志,其中两个是Trusted标志和Tainted标志。如何处理这些标志取决于所谓的安全级别。安全级别存储在$ SAFE中。
Each thread and fiber in a program can have it's own safe level. Safe levels range from 0 through 4, with 0 enforcing no security and 4 enforcing so much it should only be used when you're evaling code. You can't assign a lower value to $SAFE than it already has. Also, on UNIX systems where a Ruby script runs as setuid, Ruby automatically sets the safe level to 1.
程序中的每个线程和光纤都可以拥有自己的安全级别。安全级别范围从0到4,其中0强制执行无安全性和4强制执行,只应在您评估代码时使用。您不能为$ SAFE指定比现有值更低的值。此外,在Ruby脚本以setuid运行的UNIX系统上,Ruby会自动将安全级别设置为1。
Tainting
When a object has it's tainted flag set, that means, roughly, that the object came from an unreliable source and therefore can't be used in sensitive operations. When the safe level is 0, the taint flag is ignored (but still set, you can pay attention to it if you want). There are a few methods related to tainting:
当一个对象设置了污点标志时,粗略地意味着该对象来自不可靠的源,因此不能用于敏感操作。当安全级别为0时,忽略污染标记(但仍然设置,如果需要,可以注意它)。有一些与污染有关的方法:
-
taint-- Make an object tainted. You can taint an object on all levels with the exception of safe level 4. - 污点 - 使物体污染。您可以在所有级别上污染对象,但安全级别4除外。
-
tainted?-- Check if an object is tainted. - 污点? - 检查物体是否受到污染。
-
untaint-- Remove tainting from an object. This can only be used in safe levels 0, 1, and 2. - untaint - 去除物体上的污点。这只能用于安全级别0,1和2。
Here's an example from the pragprog pickaxe (source) that shows tainting:
以下是pragprog pickaxe(source)中显示污点的示例:
# internal data
# =============
x1 = "a string"
x1.tainted? → false
x2 = x1[2, 4]
x2.tainted? → false
x1 =~ /([a-z])/ → 0
$1.tainted? → false
# external data
# =============
y1 = ENV["HOME"]
y1.tainted? → true
y2 = y1[2, 4]
y2.tainted? → true
y1 =~ /([a-z])/ → 1
$1.tainted? → true
To summarize, you can't use dangerous methods on tainted data. So if you do this in safe level 3, you'd get an error:
总而言之,您不能对受污染的数据使用危险方法。因此,如果您在安全级别3执行此操作,则会收到错误消息:
eval(gets)
Trust
Trust is a lot simpler. Trust has to do with whether the object came from a trusted or untrusted source -- basically, whether it came from anything less than safe level 4, or safe level 4. I'm not sure exactly what effect Ruby's trust has, but take a look here: http://www.ruby-forum.com/topic/1887006 .
信任要简单得多。信任与对象是来自可靠还是不受信任的来源有关 - 基本上,它是来自低于安全等级4的任何东西,还是安全等级4.我不确定Ruby的信任到底有什么影响,但是看这里:http://www.ruby-forum.com/topic/1887006。
Here are some more resources: http://phrogz.net/ProgrammingRuby/taint.html -- Some great stuff on safe levels, but I think it's from 1.8 -- there is an updated version for 1.9, just only in the printed version of the book.
这里有一些更多的资源:http://phrogz.net/ProgrammingRuby/taint.html - 安全级别的一些很棒的东西,但我认为它来自1.8 - 有一个1.9的更新版本,只是在印刷版本这本书。
http://www.ruby-forum.com/topic/79295 -- On whether safe is safe enough.
http://www.ruby-forum.com/topic/79295 - 关于安全是否足够安全。
#2
4
taint and trust each set a flag that the object carries around with it everywhere. The only difference that I can tell (from ruby-doc.org) is that some method calls behave differently when given tainted objects whereas trust seems to be entirely up to the programmer to interpret.
污点和信任每一个都设置了一个标志,对象随身携带它。我可以告诉的唯一区别(来自ruby-doc.org)是一些方法调用在给出受污染的对象时表现不同,而信任似乎完全由程序员来解释。
The main purpose of tainting is to flag user input as potentially dangerous e.g. a dynamically loaded script or CGI form data. You then implement sanitizing methods that make sure objects are safe and untaint them before using them elsewhere in your code.
污点的主要目的是将用户输入标记为潜在危险,例如动态加载的脚本或CGI表单数据。然后,您可以实现清理方法,以确保对象是安全的并且在代码中的其他位置使用它们之前将它们取消。
See also "What's the purpose of tainting Ruby objects?".
另请参阅“污染Ruby对象的目的是什么?”。
#3
0
I found this link to me informative about tainted Data in ruby.
我发现这个链接向我提供有关红宝石中污染数据的信息。
http://ruby.about.com/od/advancedruby/a/tainted.htm
http://ruby.about.com/od/advancedruby/a/tainted.htm
"Tainted" objects are those that have come from some type of user input. Either from a file, the keyboard or the network, unless the object is a literal in the program or created by the program directly, it will be tainted. The tainted flag is always there on your objects, all you have to do is check it before you do anything unsafe. If you've confirmed that the data is indeed safe, you can then untaint the object.
“受污染的”对象是来自某种类型的用户输入的对象。无论是从文件,键盘还是网络,除非对象是程序中的文字或由程序直接创建,否则它将被污染。被污染的旗帜总是在你的物体上,所有你需要做的就是在你做任何不安全的事情之前检查它。如果您已确认数据确实是安全的,则可以取消标记该对象。