[前][次][番号順一覧][スレッド一覧]

ruby-changes:34466

From: nobu <ko1@a...>
Date: Wed, 25 Jun 2014 10:20:07 +0900 (JST)
Subject: [ruby-changes:34466] nobu:r46547 (trunk): hash.c: prohibit tainted strings

nobu	2014-06-25 10:20:01 +0900 (Wed, 25 Jun 2014)

  New Revision: 46547

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=46547

  Log:
    hash.c: prohibit tainted strings
    
    * hash.c (env_aset, env_has_key, env_assoc, env_has_value),
      (env_rassoc, env_key): prohibit tainted strings if $SAFE is
      non-zero.  [Bug #9976]

  Modified files:
    trunk/ChangeLog
    trunk/hash.c
    trunk/test/ruby/test_env.rb
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 46546)
+++ ChangeLog	(revision 46547)
@@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Wed Jun 25 10:19:59 2014  Nobuyoshi Nakada  <nobu@r...>
+
+	* hash.c (env_aset, env_has_key, env_assoc, env_has_value),
+	  (env_rassoc, env_key): prohibit tainted strings if $SAFE is
+	  non-zero.  [Bug #9976]
+
 Tue Jun 24 14:46:17 2014  SHIBATA Hiroshi  <shibata.hiroshi@g...>
 
 	* lib/gserver.rb: remove redundant use of to_s in interpolation.
Index: hash.c
===================================================================
--- hash.c	(revision 46546)
+++ hash.c	(revision 46547)
@@ -2871,8 +2871,8 @@ env_aset(VALUE obj, VALUE nm, VALUE val) https://github.com/ruby/ruby/blob/trunk/hash.c#L2871
 	env_delete(obj, nm);
 	return Qnil;
     }
-    StringValue(nm);
-    StringValue(val);
+    SafeStringValue(nm);
+    SafeStringValue(val);
     name = RSTRING_PTR(nm);
     value = RSTRING_PTR(val);
     if (memchr(name, '\0', RSTRING_LEN(nm)))
@@ -3369,7 +3369,8 @@ env_has_key(VALUE env, VALUE key) https://github.com/ruby/ruby/blob/trunk/hash.c#L3369
 {
     char *s;
 
-    s = StringValuePtr(key);
+    SafeStringValue(key);
+    s = RSTRING_PTR(key);
     if (memchr(s, '\0', RSTRING_LEN(key)))
 	rb_raise(rb_eArgError, "bad environment variable name");
     if (getenv(s)) return Qtrue;
@@ -3388,7 +3389,8 @@ env_assoc(VALUE env, VALUE key) https://github.com/ruby/ruby/blob/trunk/hash.c#L3389
 {
     char *s, *e;
 
-    s = StringValuePtr(key);
+    SafeStringValue(key);
+    s = RSTRING_PTR(key);
     if (memchr(s, '\0', RSTRING_LEN(key)))
 	rb_raise(rb_eArgError, "bad environment variable name");
     e = getenv(s);
@@ -3410,6 +3412,7 @@ env_has_value(VALUE dmy, VALUE obj) https://github.com/ruby/ruby/blob/trunk/hash.c#L3412
 
     obj = rb_check_string_type(obj);
     if (NIL_P(obj)) return Qnil;
+    rb_check_safe_obj(obj);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');
@@ -3440,6 +3443,7 @@ env_rassoc(VALUE dmy, VALUE obj) https://github.com/ruby/ruby/blob/trunk/hash.c#L3443
 
     obj = rb_check_string_type(obj);
     if (NIL_P(obj)) return Qnil;
+    rb_check_safe_obj(obj);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');
@@ -3470,7 +3474,7 @@ env_key(VALUE dmy, VALUE value) https://github.com/ruby/ruby/blob/trunk/hash.c#L3474
     char **env;
     VALUE str;
 
-    StringValue(value);
+    SafeStringValue(value);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');
Index: test/ruby/test_env.rb
===================================================================
--- test/ruby/test_env.rb	(revision 46546)
+++ test/ruby/test_env.rb	(revision 46547)
@@ -426,4 +426,85 @@ class TestEnv < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_env.rb#L426
       assert_predicate(ENV.fetch(k), :frozen?, "fetch(#{k.dump})")
     end
   end
+
+  def test_taint_aref
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO".taint]
+      end.call
+    end
+  end
+
+  def test_taint_fetch
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.fetch("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_assoc
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.assoc("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_rassoc
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.rassoc("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_key
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.key("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_key_p
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.key?("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_value_p
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.value?("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_aset_value
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO"] = "BAR".taint
+      end.call
+    end
+  end
+
+  def test_taint_aset_key
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO".taint] = "BAR"
+      end.call
+    end
+  end
 end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]