ruby-changes:41081
From: usa <ko1@a...>
Date: Wed, 16 Dec 2015 21:15:39 +0900 (JST)
Subject: [ruby-changes:41081] usa:r53156 (ruby_2_1): merge revision(s): 53153 and 23405@ruby_1_9_1
usa 2015-12-16 21:15:26 +0900 (Wed, 16 Dec 2015) New Revision: 53156 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=53156 Log: merge revision(s): 53153 and 23405@ruby_1_9_1 * ext/fiddle/handle.c: check tainted string arguments. Patch provided by tenderlove and nobu. * test/fiddle/test_handle.rb (class TestHandle): add test for above. * ext/dl/handle.c (rb_dlhandle_initialize): prohibits DL::dlopen with a tainted name of library. Patch by sheepman <sheepman AT sheepman.sakura.ne.jp>. * ext/dl/handle.c (rb_dlhandle_sym): ditto Modified directories: branches/ruby_2_1/ Modified files: branches/ruby_2_1/ChangeLog branches/ruby_2_1/ext/fiddle/handle.c branches/ruby_2_1/test/fiddle/test_handle.rb branches/ruby_2_1/version.h Index: ruby_2_1/ChangeLog =================================================================== --- ruby_2_1/ChangeLog (revision 53155) +++ ruby_2_1/ChangeLog (revision 53156) @@ -1,3 +1,18 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ChangeLog#L1 +Wed Dec 16 21:10:03 2015 CHIKANAGA Tomoyuki <nagachika@r...> + + * ext/fiddle/handle.c: check tainted string arguments. + Patch provided by tenderlove and nobu. + + * test/fiddle/test_handle.rb (class TestHandle): add test for above. + +Wed Dec 16 21:10:36 2015 Yuki Sonoda (Yugui) <yugui@y...> + + * ext/dl/handle.c (rb_dlhandle_initialize): prohibits DL::dlopen + with a tainted name of library. + Patch by sheepman <sheepman AT sheepman.sakura.ne.jp>. + + * ext/dl/handle.c (rb_dlhandle_sym): ditto + Wed Dec 16 16:13:04 2015 Nobuyoshi Nakada <nobu@r...> * io.c (parse_mode_enc): fix buffer overflow. Index: ruby_2_1/ext/fiddle/handle.c =================================================================== --- ruby_2_1/ext/fiddle/handle.c (revision 53155) +++ ruby_2_1/ext/fiddle/handle.c (revision 53156) @@ -1,6 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/fiddle/handle.c#L1 #include <ruby.h> #include <fiddle.h> +#define SafeStringValueCStr(v) (rb_check_safe_obj(rb_string_value(&v)), StringValueCStr(v)) + VALUE rb_cHandle; struct dl_handle { @@ -143,11 +145,11 @@ rb_fiddle_handle_initialize(int argc, VA https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/fiddle/handle.c#L145 cflag = RTLD_LAZY | RTLD_GLOBAL; break; case 1: - clib = NIL_P(lib) ? NULL : StringValuePtr(lib); + clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib); cflag = RTLD_LAZY | RTLD_GLOBAL; break; case 2: - clib = NIL_P(lib) ? NULL : StringValuePtr(lib); + clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib); cflag = NUM2INT(flag); break; default: @@ -263,7 +265,7 @@ rb_fiddle_handle_to_i(VALUE self) https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/fiddle/handle.c#L265 return PTR2NUM(fiddle_handle); } -static VALUE fiddle_handle_sym(void *handle, const char *symbol); +static VALUE fiddle_handle_sym(void *handle, VALUE symbol); /* * Document-method: sym @@ -282,7 +284,7 @@ rb_fiddle_handle_sym(VALUE self, VALUE s https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/fiddle/handle.c#L284 rb_raise(rb_eFiddleError, "closed handle"); } - return fiddle_handle_sym(fiddle_handle->ptr, StringValueCStr(sym)); + return fiddle_handle_sym(fiddle_handle->ptr, sym); } #ifndef RTLD_NEXT @@ -305,11 +307,11 @@ rb_fiddle_handle_sym(VALUE self, VALUE s https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/fiddle/handle.c#L307 static VALUE rb_fiddle_handle_s_sym(VALUE self, VALUE sym) { - return fiddle_handle_sym(RTLD_NEXT, StringValueCStr(sym)); + return fiddle_handle_sym(RTLD_NEXT, sym); } static VALUE -fiddle_handle_sym(void *handle, const char *name) +fiddle_handle_sym(void *handle, VALUE symbol) { #if defined(HAVE_DLERROR) const char *err; @@ -318,6 +320,7 @@ fiddle_handle_sym(void *handle, const ch https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/fiddle/handle.c#L320 # define CHECK_DLERROR #endif void (*func)(); + const char *name = SafeStringValueCStr(symbol); rb_secure(2); #ifdef HAVE_DLERROR @@ -367,7 +370,7 @@ fiddle_handle_sym(void *handle, const ch https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/fiddle/handle.c#L370 } #endif if( !func ){ - rb_raise(rb_eFiddleError, "unknown symbol \"%s\"", name); + rb_raise(rb_eFiddleError, "unknown symbol \"%"PRIsVALUE"\"", symbol); } return PTR2NUM(func); Index: ruby_2_1/version.h =================================================================== --- ruby_2_1/version.h (revision 53155) +++ ruby_2_1/version.h (revision 53156) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/version.h#L1 #define RUBY_VERSION "2.1.8" #define RUBY_RELEASE_DATE "2015-12-16" -#define RUBY_PATCHLEVEL 438 +#define RUBY_PATCHLEVEL 439 #define RUBY_RELEASE_YEAR 2015 #define RUBY_RELEASE_MONTH 12 Index: ruby_2_1/test/fiddle/test_handle.rb =================================================================== --- ruby_2_1/test/fiddle/test_handle.rb (revision 53155) +++ ruby_2_1/test/fiddle/test_handle.rb (revision 53156) @@ -10,6 +10,23 @@ module Fiddle https://github.com/ruby/ruby/blob/trunk/ruby_2_1/test/fiddle/test_handle.rb#L10 include Test::Unit::Assertions + def test_safe_handle_open + t = Thread.new do + $SAFE = 1 + Fiddle::Handle.new(LIBC_SO.taint) + end + assert_raise(SecurityError) { t.value } + end + + def test_safe_function_lookup + t = Thread.new do + h = Fiddle::Handle.new(LIBC_SO) + $SAFE = 1 + h["qsort".taint] + end + assert_raise(SecurityError) { t.value } + end + def test_to_i handle = Fiddle::Handle.new(LIBC_SO) assert_kind_of Integer, handle.to_i Property changes on: ruby_2_1 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r53153 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/