ruby-changes:18886
From: shyouhei <ko1@a...>
Date: Fri, 18 Feb 2011 21:32:45 +0900 (JST)
Subject: [ruby-changes:18886] Ruby:r30911 (ruby_1_8_7): merge revision(s) 30903:
shyouhei 2011-02-18 21:32:35 +0900 (Fri, 18 Feb 2011) New Revision: 30911 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=30911 Log: merge revision(s) 30903: * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): Test for below. * error.c (exc_to_s): untainted strings can be tainted via Exception#to_s, which enables attackers to overwrite sane strings. Reported by: Yusuke Endoh <mame at tsg.ne.jp>. * error.c (name_err_to_s): ditto. Modified files: branches/ruby_1_8_7/ChangeLog branches/ruby_1_8_7/error.c branches/ruby_1_8_7/test/ruby/test_exception.rb branches/ruby_1_8_7/version.h Index: ruby_1_8_7/error.c =================================================================== --- ruby_1_8_7/error.c (revision 30910) +++ ruby_1_8_7/error.c (revision 30911) @@ -403,7 +403,6 @@ VALUE mesg = rb_attr_get(exc, rb_intern("mesg")); if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); return mesg; } @@ -667,10 +666,9 @@ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); if (str != mesg) { - rb_iv_set(exc, "mesg", mesg = str); + OBJ_INFECT(str, mesg); } - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); - return mesg; + return str; } /* Index: ruby_1_8_7/ChangeLog =================================================================== --- ruby_1_8_7/ChangeLog (revision 30910) +++ ruby_1_8_7/ChangeLog (revision 30911) @@ -1,3 +1,16 @@ +Fri Feb 18 21:18:55 2011 Shugo Maeda <shugo@r...> + + * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): + Test for below. + +Fri Feb 18 21:18:55 2011 URABE Shyouhei <shyouhei@r...> + + * error.c (exc_to_s): untainted strings can be tainted via + Exception#to_s, which enables attackers to overwrite sane strings. + Reported by: Yusuke Endoh <mame at tsg.ne.jp>. + + * error.c (name_err_to_s): ditto. + Fri Feb 18 21:17:22 2011 Shugo Maeda <shugo@r...> * lib/fileutils.rb (FileUtils::remove_entry_secure): there is a Index: ruby_1_8_7/version.h =================================================================== --- ruby_1_8_7/version.h (revision 30910) +++ ruby_1_8_7/version.h (revision 30911) @@ -2,7 +2,7 @@ #define RUBY_RELEASE_DATE "2011-02-18" #define RUBY_VERSION_CODE 187 #define RUBY_RELEASE_CODE 20110218 -#define RUBY_PATCHLEVEL 333 +#define RUBY_PATCHLEVEL 334 #define RUBY_VERSION_MAJOR 1 #define RUBY_VERSION_MINOR 8 Index: ruby_1_8_7/test/ruby/test_exception.rb =================================================================== --- ruby_1_8_7/test/ruby/test_exception.rb (revision 30910) +++ ruby_1_8_7/test/ruby/test_exception.rb (revision 30911) @@ -184,4 +184,26 @@ assert(false) end end + + def test_to_s_taintness_propagation + for exc in [Exception, NameError] + m = "abcdefg" + e = exc.new(m) + e.taint + s = e.to_s + assert_equal(false, m.tainted?, + "#{exc}#to_s should not propagate taintness") + assert_equal(false, s.tainted?, + "#{exc}#to_s should not propagate taintness") + end + + o = Object.new + def o.to_str + "foo" + end + o.taint + e = NameError.new(o) + s = e.to_s + assert_equal(true, s.tainted?) + end end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/