- ruby-core - ml.ruby-lang.org

[ruby-core:111043] [Ruby master Feature#9830] Support for GOST private/public keys
by hsbt (Hiroshi SHIBATA) 29 Nov '22

29 Nov '22

Issue #9830 has been updated by hsbt (Hiroshi SHIBATA). Assignee set to rhenium (Kazuki Yamaguchi) ---------------------------------------- Feature #9830: Support for GOST private/public keys https://bugs.ruby-lang.org/issues/9830#change-100296 * Author: Envek (Andrey Novikov) * Status: Assigned * Priority: Normal * Assignee: rhenium (Kazuki Yamaguchi) ---------------------------------------- Hello everyone. We're required to use GOST encryption algorithms for signing requests, interacting with HTTPS services with client certificate authentication and so on. OpenSSL 1.0.0 is bundled with GOST engine, and, if correctly configured, can handle all of these tasks from command line. Also see #9822. **Issue** Ruby can't read GOST private and public keys: ~~~ ruby> privkey = OpenSSL::PKey.read(File.read('gost_r_34_10_2001_private_key.pem')) OpenSSL::PKey::PKeyError: unsupported key type ruby> # Same for public keys ruby> crt = OpenSSL::X509::Certificate.new(File.read('gost_r_34_10_2001_certificate.pem')) ruby> crt.public_key OpenSSL::PKey::PKeyError: unsupported key type ~~~ The problem is there is no "Generic PKey" class in Ruby's OpenSSL. In source in `ext/openssl/openssl_pkey.c` at line 76 in method `ossl_pkey_new` there is examination of key type and creating appropriate Ruby classes. But GOST R 34.10-2001 key type have type `NID_id_GostR3410_2001` (811), and Ruby fails. **Possible solution** GOST keys are EC keys in fact (at least for GOST R 34.10-2001). And, if I add `case NID_id_GostR3410_2001:` right before `case EVP_PKEY_EC:` and remove checks about key type in `ext/openssl/openssl_pkey_ec.c` – everything will work. To illustrate this, I've attached required patches (one from issue #9822), self-signed GOST R 34.10-2001 certificate with private key and two test scripts. **NOTE**: You will need OpenSSL version 1.0.0 or newer with correct configuration, see links below! **Question** How should GOST keys support implemented in Ruby? Should it even use `OpenSSL::PKey::EC`, or, may be, subclass from it? I'm not experienced neither in C programming nor in cryptography, but I would be glad to help with the implementation of this. **Further information** * **README.gost**: Instructions for setting up OpenSSL and usage: https://github.com/openssl/openssl/blob/master/engines/ccgost/README.gost * **OpenSSL GOST engine source**: https://github.com/openssl/openssl/tree/master/engines/ccgost * **RFC 5830**: GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms: http://tools.ietf.org/html/rfc5830 * **RFC 5831**: GOST R 34.11-94: Hash Function Algorithm: http://tools.ietf.org/html/rfc5831 * **RFC 5832**: GOST R 34.10-2001: Digital Signature Algorithm: http://tools.ietf.org/html/rfc5832 * **RFC 4491**: Using the GOST Algorithms with the Internet X.509 Public Key Infrastructure: http://tools.ietf.org/html/rfc4491 * **RFC 4490**: Using the GOST Algorithms with Cryptographic Message Syntax (CMS): http://tools.ietf.org/html/rfc4490 * **RFC 4357**: Additional Cryptographic Algorithms for Use with GOST Algorithms * Some stackoverflow.com related questions: http://stackoverflow.com/questions/12868384/openssl-gost-parameter-set and http://stackoverflow.com/questions/14580340/generate-gost-34-10-2001-keypai… ---Files-------------------------------- gost_keys_support_draft.patch (1.92 KB) gost_r_34_10_2001_certificate.pem (826 Bytes) gost_r_34_10_2001_private_key.pem (152 Bytes) gost_sigining.rb (541 Bytes) gost_ssl_example_with_certs.rb (742 Bytes) respect_system_openssl_settings.patch (430 Bytes) -- https://bugs.ruby-lang.org/

1 0

[ruby-core:111042] [Ruby master Bug#18657] IRB raises exception when stdout is a pipe
by hsbt (Hiroshi SHIBATA) 29 Nov '22

29 Nov '22

Issue #18657 has been updated by hsbt (Hiroshi SHIBATA). Status changed from Open to Closed This patch has been merged at https://github.com/ruby/irb/pull/353 ---------------------------------------- Bug #18657: IRB raises exception when stdout is a pipe https://bugs.ruby-lang.org/issues/18657#change-100295 * Author: pjones (Peter Jones) * Status: Closed * Priority: Normal * ruby -v: ruby 3.2.0dev (2022-03-24T16:14:55Z master 33b13bd9f1) [x86_64-linux] * Backport: 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN ---------------------------------------- When piping stdout to another process IRB fails: ``` lib/ruby/3.0.0/irb/input-method.rb:42:in `winsize': Inappropriate ioctl for device (Errno::ENOTTY) ``` For example: ``` echo n=1 | irb | cat ``` This bug was introduced in e468d9f49ca34f713c030c623f655a40370e186d and triggered by 8f9b1902f48b413bd161666630c878ad58418c04 and 555ea8334451c5ccd881e68b8b7ddc15745e66e3. The attached patch fixes the bug and includes a test to demonstrate the issue. ---Files-------------------------------- ruby-irb.patch (1.26 KB) -- https://bugs.ruby-lang.org/

1 0

[ruby-core:111041] [Ruby master Misc#19030] [ANN] Migrate lists.ruby-lang.org to Google Groups
by hsbt (Hiroshi SHIBATA) 29 Nov '22

29 Nov '22

Issue #19030 has been updated by hsbt (Hiroshi SHIBATA). Status changed from Assigned to Closed The issue of discourse mirror for ruby-talk is resolved. https://rubytalk.org/t/i-sent-this-to-the-list-but-got-this-error-here/7610… Unfortunately, our list addresses are changed `ruby-lang.org` to `ml.ruby-lang.org`. And `List-Id` is also changed like `ruby-core.ruby-lang.org` to `ruby-core.ml.ruby-lang.org`. You may update filter configuration for your mailer. ---------------------------------------- Misc #19030: [ANN] Migrate lists.ruby-lang.org to Google Groups https://bugs.ruby-lang.org/issues/19030#change-100294 * Author: hsbt (Hiroshi SHIBATA) * Status: Closed * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) ---------------------------------------- Our mailing-list server that is `lists.ruby-lang.org` is too old. And it's difficult to replace new server on AWS because building mail-service on AWS has a lot of limitations. I and @shugo decided to migrate lists.ruby-lang.org to Google Groups. * In Nov-Dec 2022, we migrate the current list member to Google Groups of our google workspace. * I hope to migrate to the last list-id, But I'm not sure we can do that. * What will be used as an archive viewer has yet to be TBD status. * blade is still down. * I prefer plain text viewer like blade instead of google groups. Should we build it? I will update this plan in this thread. -- https://bugs.ruby-lang.org/

1 0

[ruby-core:111040] [Ruby master Bug#19157] URI bad component validation can be tricked
by straight-shoota 28 Nov '22

28 Nov '22

Issue #19157 has been reported by straight-shoota (Johannes Müller). ---------------------------------------- Bug #19157: URI bad component validation can be tricked https://bugs.ruby-lang.org/issues/19157 * Author: straight-shoota (Johannes Müller) * Status: Open * Priority: Normal * ruby -v: 3.1.3 * Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN ---------------------------------------- `URI::HTTP` checks the validity of the URI components. For example, the path of a URI with authority component must be either empty or start with a slash. This validation applies on the `.build` constructor as well as on the `path` setter. But it can be tricked when setting an empty authority component and scheme before setting a relative path, and then setting the authority and scheme again. This produces an invalid and incorrect URI. ``` ruby require "uri" uri = URI::HTTP.build({}) uri.scheme = nil uri.path = "resource" uri.host = "example.com" # this should raise URI::InvalidComponentError uri.scheme = "http" uri.to_s # => "http://example.comresource" ``` -- https://bugs.ruby-lang.org/

1 0

[ruby-core:111039] [Ruby master Feature#19000] Data: Add "Copy with changes method" [Follow-on to #16122 Data: simple immutable value object]
by RubyBugs (A Nonymous) 28 Nov '22

28 Nov '22

Issue #19000 has been updated by RubyBugs (A Nonymous). bdewater (Bart de Water) wrote in #note-15: > I like `dup` as the method name 👍 > Is there a way we could get more active Rubyists to weigh in? My sense is that there is a real tension in that: * Nearly every major value objects gem use `#with` * Most other language with value objects use `#with` On the other hand, there seem to be a number of voices on this Bug thread, who while they don't necessarily currently work with code that uses this exact pattern, feel strongly that overloading the meaning of `#dup` is a better choice for Ruby. Even the amazing and incomparable @jeremyevans, whose Sequel gem our team depends on as well :) While it might not generally be the practice of the Ruby community, would we consider a way to get more "working Rubyist" eyes on this question? Perhaps by getting this thread in to the Ruby Weekly News for example? In the end, having the method is more important than the name. But it does seem important to let voices be heard? ---------------------------------------- Feature #19000: Data: Add "Copy with changes method" [Follow-on to #16122 Data: simple immutable value object] https://bugs.ruby-lang.org/issues/19000#change-100292 * Author: RubyBugs (A Nonymous) * Status: Open * Priority: Normal ---------------------------------------- *As requested: extracted a follow-up to #16122 Data: simple immutable value object from [this comment](http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/109815)* # Proposal: Add a "Copy with changes" method to Data Assume the proposed `Data.define` exists. Seeing examples from the [[Values gem]](https://github.com/ms-ati/Values): ```ruby # A new class Point = Data.def(:x, :y) # An immutable instance Origin = Point.with(x: 0, y: 0) # Q: How do we make copies that change 1 or more values? right = Origin.with(x: 1.0) up = Origin.with(y: 1.0) up_and_right = right.with(y: up.y) # In loops movements = [ { x: +0.5 }, { x: +0.5 }, { y: -1.0 }, { x: +0.5 }, ] # position = Point(x: 1.5, y: -1.0) position = movements.inject(Origin) { |p, move| p.with(**move) } ``` ## Proposed detail: Call this method: `#with` ```ruby Money = Data.define(:amount, :currency) account = Money.new(amount: 100, currency: 'USD') transactions = [+10, -5, +15] account = transactions.inject(account) { |a, t| a.with(amount: a.amount + t) } #=> Money(amount: 120, currency: "USD") ``` ## Why add this "Copy with changes" method to the Data simple immutable value class? Called on an instance, it returns a new instance with only the provided parameters changed. This API affordance is now **widely adopted across many languages** for its usefulness. Why is it so useful? Because copying immutable value object instances, with 1 or more discrete changes to specific fields, is the proper and ubiquitous pattern that takes the place of mutation when working with immutable value objects. **Other languages** C# Records: “immutable record structs — Non-destructive mutation” — is called `with { ... }` https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/builtin-t… Scala Case Classes — is called `#copy` https://docs.scala-lang.org/tour/case-classes.html Java 14+ Records — Brian Goetz at Oracle is working on adding a with copy constructor inspired by C# above as we speak, likely to be called `#with` https://mail.openjdk.org/pipermail/amber-spec-experts/2022-June/003461.html Rust “Struct Update Syntax” via `..` syntax in constructor https://doc.rust-lang.org/book/ch05-01-defining-structs.html#creating-insta… ## Alternatives Without a copy-with-changes method, one must construct entirely new instances using the constructor. This can either be (a) fully spelled out as boilerplate code, or (b) use a symmetrical `#to_h` to feed the keyword-args constructor. **(a) Boilerplate using constructor** ```ruby Point = Data.define(:x, :y, :z) Origin = Point.new(x: 0.0, y: 0.0, z: 0.0) change = { z: -1.5 } # Have to use full constructor -- does this even work? point = Point.new(x: Origin.x, y: Origin.y, **change) ``` **(b) Using a separately proposed `#to_h` method and constructor symmetry** ```ruby Point = Data.define(:x, :y, :z) Origin = Point.new(x: 0.0, y: 0.0, z: 0.0) change = { z: -1.5 } # Have to use full constructor -- does this even work? point = Point.new(**(Origin.to_h.merge(change))) ``` Notice that the above are not ergonomic -- leading so many of our peer language communities to adopt the `#with` method to copy an instance with discrete changes. -- https://bugs.ruby-lang.org/

1 0

[ruby-core:111038] [Ruby master Feature#19000] Data: Add "Copy with changes method" [Follow-on to #16122 Data: simple immutable value object]
by bdewater (Bart de Water) 28 Nov '22

28 Nov '22

Issue #19000 has been updated by bdewater (Bart de Water). I like `dup` as the method name 👍 tomstuart (Tom Stuart) wrote in #note-9: > Perhaps another way of putting this is that I’d estimate most Ruby programmers rarely call `Object#dup` in the course of their work, whereas I would expect users of `Data` to need this new “copy with changes” operation somewhat frequently, especially if they’re migrating existing code from `Struct`. But of course I have no data to support that guess! I don't think `dup` is that rare, IME most Ruby programmers are familiar with it even if they don't use it daily. Some unscientific data points of usage in Rails apps: - https://github.com/discourse/discourse/search?l=Ruby&q=dup - https://github.com/mastodon/mastodon/search?l=Ruby&q=dup - https://gitlab.com/search?search=dup&nav_source=navbar&project_id=278964&gr… ---------------------------------------- Feature #19000: Data: Add "Copy with changes method" [Follow-on to #16122 Data: simple immutable value object] https://bugs.ruby-lang.org/issues/19000#change-100291 * Author: RubyBugs (A Nonymous) * Status: Open * Priority: Normal ---------------------------------------- *As requested: extracted a follow-up to #16122 Data: simple immutable value object from [this comment](http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/109815)* # Proposal: Add a "Copy with changes" method to Data Assume the proposed `Data.define` exists. Seeing examples from the [[Values gem]](https://github.com/ms-ati/Values): ```ruby # A new class Point = Data.def(:x, :y) # An immutable instance Origin = Point.with(x: 0, y: 0) # Q: How do we make copies that change 1 or more values? right = Origin.with(x: 1.0) up = Origin.with(y: 1.0) up_and_right = right.with(y: up.y) # In loops movements = [ { x: +0.5 }, { x: +0.5 }, { y: -1.0 }, { x: +0.5 }, ] # position = Point(x: 1.5, y: -1.0) position = movements.inject(Origin) { |p, move| p.with(**move) } ``` ## Proposed detail: Call this method: `#with` ```ruby Money = Data.define(:amount, :currency) account = Money.new(amount: 100, currency: 'USD') transactions = [+10, -5, +15] account = transactions.inject(account) { |a, t| a.with(amount: a.amount + t) } #=> Money(amount: 120, currency: "USD") ``` ## Why add this "Copy with changes" method to the Data simple immutable value class? Called on an instance, it returns a new instance with only the provided parameters changed. This API affordance is now **widely adopted across many languages** for its usefulness. Why is it so useful? Because copying immutable value object instances, with 1 or more discrete changes to specific fields, is the proper and ubiquitous pattern that takes the place of mutation when working with immutable value objects. **Other languages** C# Records: “immutable record structs — Non-destructive mutation” — is called `with { ... }` https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/builtin-t… Scala Case Classes — is called `#copy` https://docs.scala-lang.org/tour/case-classes.html Java 14+ Records — Brian Goetz at Oracle is working on adding a with copy constructor inspired by C# above as we speak, likely to be called `#with` https://mail.openjdk.org/pipermail/amber-spec-experts/2022-June/003461.html Rust “Struct Update Syntax” via `..` syntax in constructor https://doc.rust-lang.org/book/ch05-01-defining-structs.html#creating-insta… ## Alternatives Without a copy-with-changes method, one must construct entirely new instances using the constructor. This can either be (a) fully spelled out as boilerplate code, or (b) use a symmetrical `#to_h` to feed the keyword-args constructor. **(a) Boilerplate using constructor** ```ruby Point = Data.define(:x, :y, :z) Origin = Point.new(x: 0.0, y: 0.0, z: 0.0) change = { z: -1.5 } # Have to use full constructor -- does this even work? point = Point.new(x: Origin.x, y: Origin.y, **change) ``` **(b) Using a separately proposed `#to_h` method and constructor symmetry** ```ruby Point = Data.define(:x, :y, :z) Origin = Point.new(x: 0.0, y: 0.0, z: 0.0) change = { z: -1.5 } # Have to use full constructor -- does this even work? point = Point.new(**(Origin.to_h.merge(change))) ``` Notice that the above are not ergonomic -- leading so many of our peer language communities to adopt the `#with` method to copy an instance with discrete changes. -- https://bugs.ruby-lang.org/

1 0

[ruby-core:111035] [Ruby master Misc#19155] documentation of Pathname#join with absolute path
by colorbox (box color) 28 Nov '22

28 Nov '22

Issue #19155 has been reported by colorbox (box color). ---------------------------------------- Misc #19155: documentation of Pathname#join with absolute path https://bugs.ruby-lang.org/issues/19155 * Author: colorbox (box color) * Status: Open * Priority: Normal ---------------------------------------- Pathname#join ignores previous directory name before absolute path Is this intentional? ```irb irb(main):002:0> require 'pathname' => true irb(main):003:0> Pathname('/foo').join('bar', 'baz') => #<Pathname:/foo/bar/baz> irb(main):004:0> Pathname('/foo').join('bar', '/baz') => #<Pathname:/baz> irb(main):005:0> ➜✗ ruby -v ruby 3.0.4p208 (2022-04-12 revision 3fa771dded) [x86_64-darwin19] ``` I found that this behavior is intentional from test code but I cannot found reason. https://github.com/ruby/pathname/blob/master/test/pathname/test_pathname.rb… There was no description of this behavior in the documentation. -- https://bugs.ruby-lang.org/

2 1

[ruby-core:111032] [Ruby master Bug#4040] SystemStackError with Hash[*a] for Large _a_
by jeremyevans0 (Jeremy Evans) 28 Nov '22

28 Nov '22

Issue #4040 has been updated by jeremyevans0 (Jeremy Evans). I submitted a pull request to fix this: https://github.com/ruby/ruby/pull/6816 ---------------------------------------- Bug #4040: SystemStackError with Hash[*a] for Large _a_ https://bugs.ruby-lang.org/issues/4040#change-100285 * Author: runpaint (Run Paint Run Run) * Status: Assigned * Priority: Normal * Assignee: ko1 (Koichi Sasada) * ruby -v: ruby 1.9.3dev (2010-11-09 trunk 29737) [x86_64-linux] * Backport: 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN ---------------------------------------- =begin I've been hesitating over whether to file a ticket about this, so please feel free to close if I've made the wrong choice. I often use Hash[*array.flatten] in IRB to convert arrays of arrays into hashes. Today I noticed that if the array is big enough, this would raise a SystemStackError. Puzzled, I looked deeper. I assumed I was hitting the maximum number of arguments a method's argc can hold, but realised that the minimum size of the array needed to trigger this exception differed depending on whether I used IRB or not. So, presumably this is indeed exhausting the stack... In IRB, the following is the minimal reproduction of this problem: Hash[*130648.times.map{ 1 }]; true I haven't looked for the minimum value needed with `ruby -e`, but the following reproduces: ruby -e 'Hash[*1380888.times.map{ 1 }]' I suppose this isn't technically a bug, but maybe it offers another argument for either #666 or an extension of #3131. =end -- https://bugs.ruby-lang.org/

1 0

[ruby-core:111031] [Ruby master Misc#19030] [ANN] Migrate lists.ruby-lang.org to Google Groups
by hsbt (Hiroshi SHIBATA) 28 Nov '22

28 Nov '22

Issue #19030 has been updated by hsbt (Hiroshi SHIBATA). I and @shugo have been migrated all of mailing-lists to google groups and mailmanlists.net. ``` ruby-core - Ruby developers ruby-dev - Ruby developers (Japanese) ruby-doc - Ruby documentation ruby-list - Ruby users (Japanese) ruby-talk - Ruby users ``` Unfortunately, above lists couldn't migrate to google groups. So, I did choose to stay mailman provided by mailmanlists.net. mailmanlists.net provide the official archive built by [hyperkitty](https://gitlab.com/mailman/hyperkitty), (demo site is [here](https://lists.mailman3.org/mailman3/lists/)) I'm considering to move it from http://blade.nagaokaut.ac.jp/. And now, we will get the error notification from `notifications(a)rubytalk.discoursemail.com` when we send a message to `ruby-talk`. I shared this status to @sam.saffron . I'll close this ticket after resolving discourse integration. Thanks all. ---------------------------------------- Misc #19030: [ANN] Migrate lists.ruby-lang.org to Google Groups https://bugs.ruby-lang.org/issues/19030#change-100284 * Author: hsbt (Hiroshi SHIBATA) * Status: Assigned * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) ---------------------------------------- Our mailing-list server that is `lists.ruby-lang.org` is too old. And it's difficult to replace new server on AWS because building mail-service on AWS has a lot of limitations. I and @shugo decided to migrate lists.ruby-lang.org to Google Groups. * In Nov-Dec 2022, we migrate the current list member to Google Groups of our google workspace. * I hope to migrate to the last list-id, But I'm not sure we can do that. * What will be used as an archive viewer has yet to be TBD status. * blade is still down. * I prefer plain text viewer like blade instead of google groups. Should we build it? I will update this plan in this thread. -- https://bugs.ruby-lang.org/

1 0

[ruby-core:111030] [Ruby master Feature#19090] Do not duplicate an unescaped string in CGI.escapeHTML
by k0kubun (Takashi Kokubun) 27 Nov '22

27 Nov '22

Issue #19090 has been updated by k0kubun (Takashi Kokubun). I get what you're saying. My position on this issue is: * `CGI` is not a good place either unless you're writing a CGI application. ERB also has `ERB::Escape` now, and I'd say "embedded Ruby escape" is a better module name than "CGI" for the purpose. * ERB 4.0.0 was shipped with a new file `erb/util.rb`, which allows you to load only a couple of escape methods, not loading an extra template engine. * The way we defined the method was designed by @jeremyevans0 for Erubi. Loading the ERB template engine would be the last thing the Erubi maintainer would like to do. So, thanks to his idea, it's possible to load only escape methods. * `ERB::Util.html_escape` is monkey-patched by Rails and it's been the only official `html_safe`-compatible HTML escape method for years (while it's been using Erubis or Erubi). It's the only Rails-official way to do it, and moving it to somewhere else would be unnecessarily disruptive. ---------------------------------------- Feature #19090: Do not duplicate an unescaped string in CGI.escapeHTML https://bugs.ruby-lang.org/issues/19090#change-100283 * Author: k0kubun (Takashi Kokubun) * Status: Closed * Priority: Normal ---------------------------------------- ## Proposal Stop guaranteeing that `GGI.escapeHTML` returns a new string even if there's nothing to be escaped. More specifically, stop calling this `rb_str_dup` https://github.com/ruby/cgi/blob/v0.3.3/ext/cgi/escape/escape.c#L72 for the case that nothing needs to be escaped. ## Background My original implementation https://github.com/ruby/ruby/pull/1164 was not calling it. The reason why `rb_str_dup` was added was that [Bug #11858] claimed returning the argument object for non-escaped cases is a backward incompatibility because the original `gsub`-based implementation always returns a new object. As a result, even while many people use `CGI.escapeHTML` as an optimized implementation for escaping HTML today, it ended up having a compromised performance. ## Motivation The motivation is to improve performance. By just doing so, escaping a pre-allocated `"string"` becomes 1.34x faster on my machine https://gist.github.com/k0kubun/f66d6fe1e6ba821e4263257e504ba28f. The most major use case of `CGP.escapeHTML` is to safely embed a user input. When the result is just embedded in another string, the allocated new object will be just wasted. It's pretty common that an embedded string fragment doesn't contain any of `'"&<>` characters. So we should stop wasting that to optimize that case. [Bug #11858] wasn't really a use case but just "I think this is backward incompatibility" based on frozen Hello World. Unlike user input, you usually don't need to escape your own string literal. It feels like the ticket addressed a problem that doesn't exist in actual applications. It should have cited existing code that could be broken by that, and I can't find such code with `gem-codesearch` today. The only reason to maintain the current behavior would be to allow using a return value of `CGI.escapeHTML` as a buffer for creating another longer string starting with the escaped value, but using `CGI.escapeHTML` to initialize a string buffer feels like an abuse. Relying on the behavior never makes sense as an "optimization" either because it makes all other cases (the result is not used as a string buffer) suboptimal. ## Why not an optional flag like `CGI.escapeHTML(str, dup: false)`? Two reasons: * The non-dup behavior should be used 99.999..9% of the time. We shouldn't make code using `CGI.escapeHTML` less readable just for maintaining a use case that doesn't exist. * Passing keyword arguments to a C extension is unfortunately slow, and it defeats the optimization purpose. In core classes, we could use `Primitive` to address that, but this is a default gem and we can't use that. * We could workaround that if we choose `CGI.escapeHTML(str, false)`, but again it'd spoil the readability for maintaining an invalid use case. ## Why not a new method? It's a good idea actually, but with `escapeHTML`, `escape_html`, and `h` aliased to it already, I can't think of a good name for it. And again, not calling it `escapeHTML` or `escape_html` would spoil the readability for no valid reason. -- https://bugs.ruby-lang.org/

1 0