[前][次][番号順一覧][スレッド一覧]

ruby-changes:18879

From: shyouhei <ko1@a...>
Date: Fri, 18 Feb 2011 20:05:32 +0900 (JST)
Subject: [ruby-changes:18879] Ruby:r30903 (ruby_1_8): * error.c (exc_to_s): untainted strings can be tainted via

shyouhei	2011-02-18 20:05:02 +0900 (Fri, 18 Feb 2011)

  New Revision: 30903

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903

  Log:
    * error.c (exc_to_s): untainted strings can be tainted via
      Exception#to_s, which enables attackers to overwrite sane strings.
      Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
    
    * error.c (name_err_to_s): ditto.
    
    * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
      Test for it.

  Modified files:
    branches/ruby_1_8/ChangeLog
    branches/ruby_1_8/error.c
    branches/ruby_1_8/test/ruby/test_exception.rb

Index: ruby_1_8/error.c
===================================================================
--- ruby_1_8/error.c	(revision 30902)
+++ ruby_1_8/error.c	(revision 30903)
@@ -403,7 +403,6 @@
     VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
 
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
     return mesg;
 }
 
@@ -667,10 +666,9 @@
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
     StringValue(str);
     if (str != mesg) {
-	rb_iv_set(exc, "mesg", mesg = str);
+	OBJ_INFECT(str, mesg);
     }
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
-    return mesg;
+    return str;
 }
 
 /*
Index: ruby_1_8/ChangeLog
===================================================================
--- ruby_1_8/ChangeLog	(revision 30902)
+++ ruby_1_8/ChangeLog	(revision 30903)
@@ -1,3 +1,16 @@
+Fri Feb 18 20:02:29 2011  Shugo Maeda  <shugo@r...>
+
+	* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
+	  Test for below.
+
+Fri Feb 18 19:58:34 2011  URABE Shyouhei  <shyouhei@r...>
+
+	* error.c (exc_to_s): untainted strings can be tainted via
+	  Exception#to_s, which enables attackers to overwrite sane strings.
+	  Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
+
+	* error.c (name_err_to_s): ditto.
+
 Wed Jan 19 17:38:03 2011  NAKAMURA Usaku  <usa@r...>
 
 	* win32/win32.c (init_stdhandle): backport mistake of r29382.
Index: ruby_1_8/test/ruby/test_exception.rb
===================================================================
--- ruby_1_8/test/ruby/test_exception.rb	(revision 30902)
+++ ruby_1_8/test/ruby/test_exception.rb	(revision 30903)
@@ -184,4 +184,26 @@
       assert(false)
     end
   end
+
+  def test_to_s_taintness_propagation
+    for exc in [Exception, NameError]
+      m = "abcdefg"
+      e = exc.new(m)
+      e.taint
+      s = e.to_s
+      assert_equal(false, m.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+      assert_equal(false, s.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+    end
+    
+    o = Object.new
+    def o.to_str
+      "foo"
+    end
+    o.taint
+    e = NameError.new(o)
+    s = e.to_s
+    assert_equal(true, s.tainted?)
+  end
 end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]