ruby-changes:13306

marcandre	2009-09-24 10:26:41 +0900 (Thu, 24 Sep 2009)

  New Revision: 25069

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=25069

  Log:
    * ext/openssl/ossl_config.c (ossl_config_add_value_m, ossl_config_set_section): Check if frozen (or untainted for $SECURE >= 4) [ruby-core:18377]

  Modified files:
    branches/ruby_1_8/ChangeLog
    branches/ruby_1_8/ext/openssl/ossl_config.c

Index: ruby_1_8/ext/openssl/ossl_config.c
===================================================================
--- ruby_1_8/ext/openssl/ossl_config.c	(revision 25068)
+++ ruby_1_8/ext/openssl/ossl_config.c	(revision 25069)
@@ -158,6 +158,14 @@
     return self;
 }
 
+static void
+rb_ossl_config_modify_check(VALUE config)
+{
+    if (OBJ_FROZEN(config)) rb_error_frozen("OpenSSL::Config");
+    if (!OBJ_TAINTED(config) && rb_safe_level() >= 4)
+	rb_raise(rb_eSecurityError, "Insecure: can't modify OpenSSL config");
+}
+
 static VALUE
 ossl_config_add_value(VALUE self, VALUE section, VALUE name, VALUE value)
 {
@@ -167,6 +175,7 @@
     CONF *conf;
     CONF_VALUE *sv, *cv;
 
+    rb_ossl_config_modify_check(self);
     StringValue(section);
     StringValue(name);
     StringValue(value);
@@ -247,6 +256,7 @@
 {
     VALUE arg[2];
 
+    rb_ossl_config_modify_check(self);
     arg[0] = self;
     arg[1] = section;
     rb_block_call(hash, rb_intern("each"), 0, 0, set_conf_section_i, (VALUE)arg);
Index: ruby_1_8/ChangeLog
===================================================================
--- ruby_1_8/ChangeLog	(revision 25068)
+++ ruby_1_8/ChangeLog	(revision 25069)
@@ -1,3 +1,9 @@
+Thu Sep 24 10:26:16 2009  Marc-Andre Lafortune  <ruby-core@m...>
+
+	* ext/openssl/ossl_config.c (ossl_config_add_value_m,
+	  ossl_config_set_section): Check if frozen (or untainted for $SECURE >=
+	  4) [ruby-core:18377]
+
 Thu Sep 24 10:06:19 2009  Marc-Andre Lafortune  <ruby-core@m...>
 
 	* lib/mathn.rb (Fixnum#**, Float#**, Bignum#**): Allow fractional

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/