ruby-changes:28676
From: nagachika <ko1@a...>
Date: Tue, 14 May 2013 20:07:10 +0900 (JST)
Subject: [ruby-changes:28676] nagachika:r40728 (trunk): * ext/dl/lib/dl/func.rb (DL::Function#call): check tainted when
nagachika 2013-05-14 20:06:58 +0900 (Tue, 14 May 2013) New Revision: 40728 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=40728 Log: * ext/dl/lib/dl/func.rb (DL::Function#call): check tainted when $SAFE > 0. * ext/fiddle/function.c (function_call): check tainted when $SAFE > 0. * test/fiddle/test_func.rb (module Fiddle): add test for above. Modified files: trunk/ChangeLog trunk/ext/dl/lib/dl/func.rb trunk/ext/fiddle/function.c trunk/test/fiddle/test_func.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 40727) +++ ChangeLog (revision 40728) @@ -1,3 +1,11 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Tue May 14 19:58:17 2013 CHIKANAGA Tomoyuki <nagachika@r...> + + * ext/dl/lib/dl/func.rb (DL::Function#call): check tainted when + $SAFE > 0. + * ext/fiddle/function.c (function_call): check tainted when $SAFE > 0. + * test/fiddle/test_func.rb (module Fiddle): add test for above. + + Tue May 14 14:51:52 2013 Nobuyoshi Nakada <nobu@r...> * include/ruby/win32.h (INTPTR_MAX, INTPTR_MIN, UINTPTR_MAX): split Index: ext/dl/lib/dl/func.rb =================================================================== --- ext/dl/lib/dl/func.rb (revision 40727) +++ ext/dl/lib/dl/func.rb (revision 40728) @@ -92,6 +92,9 @@ module DL https://github.com/ruby/ruby/blob/trunk/ext/dl/lib/dl/func.rb#L92 super else funcs = [] + if $SAFE >= 1 && args.any? { |x| x.tainted? } + raise SecurityError, "tainted parameter not allowed" + end _args = wrap_args(args, @stack.types, funcs, &block) r = @cfunc.call(@stack.pack(_args)) funcs.each{|f| f.unbind_at_call()} Index: ext/fiddle/function.c =================================================================== --- ext/fiddle/function.c (revision 40727) +++ ext/fiddle/function.c (revision 40728) @@ -126,6 +126,15 @@ function_call(int argc, VALUE argv[], VA https://github.com/ruby/ruby/blob/trunk/ext/fiddle/function.c#L126 TypedData_Get_Struct(self, ffi_cif, &function_data_type, cif); + if (rb_safe_level() >= 1) { + for (i = 0; i < argc; i++) { + VALUE src = argv[i]; + if (OBJ_TAINTED(src)) { + rb_raise(rb_eSecurityError, "tainted parameter not allowed"); + } + } + } + values = xcalloc((size_t)argc + 1, (size_t)sizeof(void *)); generic_args = xcalloc((size_t)argc, (size_t)sizeof(fiddle_generic)); Index: test/fiddle/test_func.rb =================================================================== --- test/fiddle/test_func.rb (revision 40727) +++ test/fiddle/test_func.rb (revision 40728) @@ -7,6 +7,16 @@ module Fiddle https://github.com/ruby/ruby/blob/trunk/test/fiddle/test_func.rb#L7 assert_nil f.call(10) end + def test_syscall_with_tainted_string + f = Function.new(@libc['system'], [TYPE_VOIDP], TYPE_INT) + assert_raises(SecurityError) do + Thread.new { + $SAFE = 1 + f.call("uname -rs".taint) + }.join + end + end + def test_sinf begin f = Function.new(@libm['sinf'], [TYPE_FLOAT], TYPE_FLOAT) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/