ruby-changes:18879
From: shyouhei <ko1@a...>
Date: Fri, 18 Feb 2011 20:05:32 +0900 (JST)
Subject: [ruby-changes:18879] Ruby:r30903 (ruby_1_8): * error.c (exc_to_s): untainted strings can be tainted via
shyouhei 2011-02-18 20:05:02 +0900 (Fri, 18 Feb 2011) New Revision: 30903 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30903 Log: * error.c (exc_to_s): untainted strings can be tainted via Exception#to_s, which enables attackers to overwrite sane strings. Reported by: Yusuke Endoh <mame at tsg.ne.jp>. * error.c (name_err_to_s): ditto. * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): Test for it. Modified files: branches/ruby_1_8/ChangeLog branches/ruby_1_8/error.c branches/ruby_1_8/test/ruby/test_exception.rb Index: ruby_1_8/error.c =================================================================== --- ruby_1_8/error.c (revision 30902) +++ ruby_1_8/error.c (revision 30903) @@ -403,7 +403,6 @@ VALUE mesg = rb_attr_get(exc, rb_intern("mesg")); if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); return mesg; } @@ -667,10 +666,9 @@ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); if (str != mesg) { - rb_iv_set(exc, "mesg", mesg = str); + OBJ_INFECT(str, mesg); } - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); - return mesg; + return str; } /* Index: ruby_1_8/ChangeLog =================================================================== --- ruby_1_8/ChangeLog (revision 30902) +++ ruby_1_8/ChangeLog (revision 30903) @@ -1,3 +1,16 @@ +Fri Feb 18 20:02:29 2011 Shugo Maeda <shugo@r...> + + * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): + Test for below. + +Fri Feb 18 19:58:34 2011 URABE Shyouhei <shyouhei@r...> + + * error.c (exc_to_s): untainted strings can be tainted via + Exception#to_s, which enables attackers to overwrite sane strings. + Reported by: Yusuke Endoh <mame at tsg.ne.jp>. + + * error.c (name_err_to_s): ditto. + Wed Jan 19 17:38:03 2011 NAKAMURA Usaku <usa@r...> * win32/win32.c (init_stdhandle): backport mistake of r29382. Index: ruby_1_8/test/ruby/test_exception.rb =================================================================== --- ruby_1_8/test/ruby/test_exception.rb (revision 30902) +++ ruby_1_8/test/ruby/test_exception.rb (revision 30903) @@ -184,4 +184,26 @@ assert(false) end end + + def test_to_s_taintness_propagation + for exc in [Exception, NameError] + m = "abcdefg" + e = exc.new(m) + e.taint + s = e.to_s + assert_equal(false, m.tainted?, + "#{exc}#to_s should not propagate taintness") + assert_equal(false, s.tainted?, + "#{exc}#to_s should not propagate taintness") + end + + o = Object.new + def o.to_str + "foo" + end + o.taint + e = NameError.new(o) + s = e.to_s + assert_equal(true, s.tainted?) + end end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/