[前][次][番号順一覧][スレッド一覧]

ruby-changes:41160

From: nobu <ko1@a...>
Date: Tue, 22 Dec 2015 05:40:21 +0900 (JST)
Subject: [ruby-changes:41160] nobu:r53233 (trunk): escape.c: Preserve original state

nobu	2015-12-22 05:40:02 +0900 (Tue, 22 Dec 2015)

  New Revision: 53233

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=53233

  Log:
    escape.c: Preserve original state
    
    * ext/cgi/escape/escape.c (preserve_original_state): Preserve
      original state for tainted and frozen.  [Fix GH-1166]
      [ruby-dev:49451] [Bug #11855]

  Modified files:
    trunk/ChangeLog
    trunk/ext/cgi/escape/escape.c
    trunk/test/cgi/test_cgi_util.rb
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 53232)
+++ ChangeLog	(revision 53233)
@@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Tue Dec 22 05:39:58 2015  Takashi Kokubun  <takashikkbn@g...>
+
+	* ext/cgi/escape/escape.c (preserve_original_state): Preserve
+	  original state for tainted and frozen.  [Fix GH-1166]
+	  [ruby-dev:49451] [Bug #11855]
+
 Tue Dec 22 03:57:20 2015  Eric Wong  <e@8...>
 
 	* ext/socket/init.c (rsock_init_sock): check FD after validating
Index: ext/cgi/escape/escape.c
===================================================================
--- ext/cgi/escape/escape.c	(revision 53232)
+++ ext/cgi/escape/escape.c	(revision 53233)
@@ -25,6 +25,14 @@ html_escaped_cat(VALUE str, char c) https://github.com/ruby/ruby/blob/trunk/ext/cgi/escape/escape.c#L25
     }
 }
 
+static inline void
+preserve_original_state(VALUE orig, VALUE dest)
+{
+    rb_enc_associate(dest, rb_enc_get(orig));
+
+    FL_SET_RAW(dest, FL_TEST_RAW(orig, FL_FREEZE|FL_TAINT));
+}
+
 static VALUE
 optimized_escape_html(VALUE str)
 {
@@ -57,7 +65,7 @@ optimized_escape_html(VALUE str) https://github.com/ruby/ruby/blob/trunk/ext/cgi/escape/escape.c#L65
 
     if (modified) {
 	rb_str_cat(dest, cstr + beg, len - beg);
-	rb_enc_associate(dest, rb_enc_get(str));
+	preserve_original_state(str, dest);
 	return dest;
     }
     else {
Index: test/cgi/test_cgi_util.rb
===================================================================
--- test/cgi/test_cgi_util.rb	(revision 53232)
+++ test/cgi/test_cgi_util.rb	(revision 53233)
@@ -68,6 +68,16 @@ class CGIUtilTest < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/cgi/test_cgi_util.rb#L68
     assert_equal(Encoding::UTF_8, CGI::escapeHTML("'&\"><".force_encoding("UTF-8")).encoding)
   end
 
+  def test_cgi_escape_html_preserve_tainted
+    assert_equal(false, CGI::escapeHTML("'&\"><").tainted?)
+    assert_equal(true, CGI::escapeHTML("'&\"><".taint).tainted?)
+  end
+
+  def test_cgi_escape_html_preserve_frozen
+    assert_equal(false, CGI::escapeHTML("'&\"><".dup).frozen?)
+    assert_equal(true, CGI::escapeHTML("'&\"><".freeze).frozen?)
+  end
+
   def test_cgi_unescapeHTML
     assert_equal("'&\"><", CGI::unescapeHTML("&#39;&amp;&quot;&gt;&lt;"))
   end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]