[前][次][番号順一覧][スレッド一覧]

ruby-changes:10373

From: nobu <ko1@a...>
Date: Sat, 31 Jan 2009 19:08:04 +0900 (JST)
Subject: [ruby-changes:10373] Ruby:r21917 (trunk): * load.c (rb_require_safe): raises when the path to be loaded is

nobu	2009-01-31 19:07:49 +0900 (Sat, 31 Jan 2009)

  New Revision: 21917

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=21917

  Log:
    * load.c (rb_require_safe): raises when the path to be loaded is
      tainted.  [ruby-dev:37843]

  Modified files:
    trunk/ChangeLog
    trunk/load.c

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 21916)
+++ ChangeLog	(revision 21917)
@@ -1,3 +1,8 @@
+Sat Jan 31 19:09:30 2009  Nobuyoshi Nakada  <nobu@r...>
+
+	* load.c (rb_require_safe): raises when the path to be loaded is
+	  tainted.  [ruby-dev:37843]
+
 Sat Jan 31 18:08:59 2009  Nobuyoshi Nakada  <nobu@r...>
 
 	* configure.in (optflags): defaulted to -O3 to get rid of slug of
Index: load.c
===================================================================
--- load.c	(revision 21916)
+++ load.c	(revision 21917)
@@ -554,13 +554,17 @@
 	rb_set_safe_level_force(safe);
 	FilePathValue(fname);
 	RB_GC_GUARD(fname) = rb_str_new4(fname);
+	rb_set_safe_level_force(0);
 	found = search_required(fname, &path);
 	if (found) {
 	    if (!path || !(ftptr = load_lock(RSTRING_PTR(path)))) {
 		result = Qfalse;
 	    }
 	    else {
-		rb_set_safe_level_force(0);
+		if (safe > 0 && OBJ_TAINTED(path)) {
+		    rb_raise(rb_eSecurityError, "cannot load from insecure path - %s",
+			     RSTRING_PTR(path));
+		}
 		switch (found) {
 		  case 'r':
 		    rb_load(path, 0);

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]