ruby-changes:10373
From: nobu <ko1@a...>
Date: Sat, 31 Jan 2009 19:08:04 +0900 (JST)
Subject: [ruby-changes:10373] Ruby:r21917 (trunk): * load.c (rb_require_safe): raises when the path to be loaded is
nobu 2009-01-31 19:07:49 +0900 (Sat, 31 Jan 2009) New Revision: 21917 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=21917 Log: * load.c (rb_require_safe): raises when the path to be loaded is tainted. [ruby-dev:37843] Modified files: trunk/ChangeLog trunk/load.c Index: ChangeLog =================================================================== --- ChangeLog (revision 21916) +++ ChangeLog (revision 21917) @@ -1,3 +1,8 @@ +Sat Jan 31 19:09:30 2009 Nobuyoshi Nakada <nobu@r...> + + * load.c (rb_require_safe): raises when the path to be loaded is + tainted. [ruby-dev:37843] + Sat Jan 31 18:08:59 2009 Nobuyoshi Nakada <nobu@r...> * configure.in (optflags): defaulted to -O3 to get rid of slug of Index: load.c =================================================================== --- load.c (revision 21916) +++ load.c (revision 21917) @@ -554,13 +554,17 @@ rb_set_safe_level_force(safe); FilePathValue(fname); RB_GC_GUARD(fname) = rb_str_new4(fname); + rb_set_safe_level_force(0); found = search_required(fname, &path); if (found) { if (!path || !(ftptr = load_lock(RSTRING_PTR(path)))) { result = Qfalse; } else { - rb_set_safe_level_force(0); + if (safe > 0 && OBJ_TAINTED(path)) { + rb_raise(rb_eSecurityError, "cannot load from insecure path - %s", + RSTRING_PTR(path)); + } switch (found) { case 'r': rb_load(path, 0); -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/