ruby-changes:46881
From: nobu <ko1@a...>
Date: Fri, 2 Jun 2017 12:54:25 +0900 (JST)
Subject: [ruby-changes:46881] nobu:r58996 (trunk): file.c: preserve encoding
nobu 2017-06-02 12:54:19 +0900 (Fri, 02 Jun 2017) New Revision: 58996 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=58996 Log: file.c: preserve encoding * file.c (rb_find_file_safe): preserve encoding of path in SecurityError messages. Modified files: trunk/file.c trunk/test/ruby/test_require.rb Index: file.c =================================================================== --- file.c (revision 58995) +++ file.c (revision 58996) @@ -5840,7 +5840,7 @@ rb_find_file_safe(VALUE path, int safe_l https://github.com/ruby/ruby/blob/trunk/file.c#L5840 if (f[0] == '~') { tmp = file_expand_path_1(path); if (safe_level >= 1 && OBJ_TAINTED(tmp)) { - rb_raise(rb_eSecurityError, "loading from unsafe file %s", f); + rb_raise(rb_eSecurityError, "loading from unsafe file %"PRIsVALUE, tmp); } path = copy_path_class(tmp, path); f = RSTRING_PTR(path); @@ -5849,7 +5849,7 @@ rb_find_file_safe(VALUE path, int safe_l https://github.com/ruby/ruby/blob/trunk/file.c#L5849 if (expanded || rb_is_absolute_path(f) || is_explicit_relative(f)) { if (safe_level >= 1 && !fpath_check(path)) { - rb_raise(rb_eSecurityError, "loading from unsafe path %s", f); + rb_raise(rb_eSecurityError, "loading from unsafe path %"PRIsVALUE, path); } if (!rb_file_load_ok(f)) return 0; if (!expanded) @@ -5881,7 +5881,7 @@ rb_find_file_safe(VALUE path, int safe_l https://github.com/ruby/ruby/blob/trunk/file.c#L5881 found: if (safe_level >= 1 && !fpath_check(tmp)) { - rb_raise(rb_eSecurityError, "loading from unsafe file %s", f); + rb_raise(rb_eSecurityError, "loading from unsafe file %"PRIsVALUE, tmp); } return copy_path_class(tmp, path); Index: test/ruby/test_require.rb =================================================================== --- test/ruby/test_require.rb (revision 58995) +++ test/ruby/test_require.rb (revision 58996) @@ -87,6 +87,17 @@ class TestRequire < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_require.rb#L87 end end + SECURITY_WARNING = + if /mswin|mingw/ =~ RUBY_PLATFORM + nil + else + proc do |require_path| + File.chmod(0777, File.dirname(require_path)) + $SAFE = 1 + require(require_path) + end + end + def assert_require_nonascii_path(encoding, bug) Dir.mktmpdir {|tmp| dir = "\u3042" * 5 @@ -109,6 +120,17 @@ class TestRequire < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_require.rb#L120 assert_equal(self.class.ospath_encoding(require_path), $:.last.encoding, '[Bug #8753]') assert(!require(require_path), bug) } + $:.replace(load_path) + $".replace(features) + if SECURITY_WARNING + require_path.untaint + ospath = require_path.encode(self.class.ospath_encoding(require_path)) + assert_warn(/Insecure world writable dir/) do + assert_raise_with_message(SecurityError, "loading from unsafe path #{ospath}") do + SECURITY_WARNING.call(require_path) + end + end + end ensure $:.replace(load_path) $".replace(features) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/