ruby-changes:12681
From: mame <ko1@a...>
Date: Wed, 5 Aug 2009 01:44:30 +0900 (JST)
Subject: [ruby-changes:12681] Ruby:r24396 (trunk): * lib/pp.rb (guard_inspect_key): untrust internal hash to prevent
mame 2009-08-05 01:44:05 +0900 (Wed, 05 Aug 2009) New Revision: 24396 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=24396 Log: * lib/pp.rb (guard_inspect_key): untrust internal hash to prevent unexpected SecurityError. * test/ruby/test_object.rb: add a test for [ruby-dev:38982]. Modified files: trunk/ChangeLog trunk/lib/pp.rb trunk/test/ruby/test_object.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 24395) +++ ChangeLog (revision 24396) @@ -1,3 +1,10 @@ +Wed Aug 5 01:38:27 2009 Yusuke Endoh <mame@t...> + + * lib/pp.rb (guard_inspect_key): untrust internal hash to prevent + unexpected SecurityError. + + * test/ruby/test_object.rb: add a test for [ruby-dev:38982]. + Wed Aug 5 00:33:05 2009 Nobuyoshi Nakada <nobu@r...> * lib/rdoc/parser/c.rb: fixed a small error in the documentation. Index: lib/pp.rb =================================================================== --- lib/pp.rb (revision 24395) +++ lib/pp.rb (revision 24396) @@ -107,17 +107,17 @@ module PPMethods def guard_inspect_key if Thread.current[:__recursive_key__] == nil - Thread.current[:__recursive_key__] = {} + Thread.current[:__recursive_key__] = {}.untrust end if Thread.current[:__recursive_key__][:inspect] == nil - Thread.current[:__recursive_key__][:inspect] = {} + Thread.current[:__recursive_key__][:inspect] = {}.untrust end save = Thread.current[:__recursive_key__][:inspect] begin - Thread.current[:__recursive_key__][:inspect] = {} + Thread.current[:__recursive_key__][:inspect] = {}.untrust yield ensure Thread.current[:__recursive_key__][:inspect] = save Index: test/ruby/test_object.rb =================================================================== --- test/ruby/test_object.rb (revision 24395) +++ test/ruby/test_object.rb (revision 24396) @@ -413,4 +413,40 @@ assert_equal(true, s.untrusted?) assert_equal(true, s.tainted?) end + + def test_exec_recursive + Thread.current[:__recursive_key__] = nil + a = [[]] + a.inspect + + assert_nothing_raised do + -> do + $SAFE = 4 + begin + a.hash + rescue ArgumentError + end + end.call + end + + -> do + assert_nothing_raised do + $SAFE = 4 + a.inspect + end + end.call + + -> do + o = Object.new + def o.to_ary(x); end + def o.==(x); $SAFE = 4; false; end + a = [[o]] + b = [] + b << b + + assert_nothing_raised do + b == a + end + end.call + end end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/