ruby-changes:49130
From: usa <ko1@a...>
Date: Thu, 14 Dec 2017 22:53:53 +0900 (JST)
Subject: [ruby-changes:49130] usa:r61246 (ruby_2_2): merge revision(s) 61242: [Backport #14185]
usa 2017-12-14 22:53:48 +0900 (Thu, 14 Dec 2017) New Revision: 61246 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=61246 Log: merge revision(s) 61242: [Backport #14185] Fix a command injection vulnerability in Net::FTP. Modified directories: branches/ruby_2_2/ Modified files: branches/ruby_2_2/ChangeLog branches/ruby_2_2/lib/net/ftp.rb branches/ruby_2_2/test/net/ftp/test_ftp.rb branches/ruby_2_2/version.h Index: ruby_2_2/lib/net/ftp.rb =================================================================== --- ruby_2_2/lib/net/ftp.rb (revision 61245) +++ ruby_2_2/lib/net/ftp.rb (revision 61246) @@ -606,10 +606,10 @@ module Net https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/net/ftp.rb#L606 if localfile if @resume rest_offset = File.size?(localfile) - f = open(localfile, "a") + f = File.open(localfile, "a") else rest_offset = nil - f = open(localfile, "w") + f = File.open(localfile, "w") end elsif !block_given? result = "" @@ -637,7 +637,7 @@ module Net https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/net/ftp.rb#L637 def gettextfile(remotefile, localfile = File.basename(remotefile)) # :yield: line result = nil if localfile - f = open(localfile, "w") + f = File.open(localfile, "w") elsif !block_given? result = "" end @@ -683,7 +683,7 @@ module Net https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/net/ftp.rb#L683 else rest_offset = nil end - f = open(localfile) + f = File.open(localfile) begin f.binmode if rest_offset @@ -702,7 +702,7 @@ module Net https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/net/ftp.rb#L702 # passing in the transmitted data one line at a time. # def puttextfile(localfile, remotefile = File.basename(localfile), &block) # :yield: line - f = open(localfile) + f = File.open(localfile) begin storlines("STOR " + remotefile, f, &block) ensure Index: ruby_2_2/ChangeLog =================================================================== --- ruby_2_2/ChangeLog (revision 61245) +++ ruby_2_2/ChangeLog (revision 61246) @@ -1,3 +1,7 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1 +Thu Dec 14 22:52:11 2017 Shugo Maeda <shugo@r...> + + Fix a command injection vulnerability in Net::FTP. + Thu Dec 14 22:49:08 2017 SHIBATA Hiroshi <hsbt@r...> Merge rubygems-2.6.14 changes. Index: ruby_2_2/version.h =================================================================== --- ruby_2_2/version.h (revision 61245) +++ ruby_2_2/version.h (revision 61246) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1 #define RUBY_VERSION "2.2.9" #define RUBY_RELEASE_DATE "2017-12-14" -#define RUBY_PATCHLEVEL 478 +#define RUBY_PATCHLEVEL 479 #define RUBY_RELEASE_YEAR 2017 #define RUBY_RELEASE_MONTH 12 Index: ruby_2_2/test/net/ftp/test_ftp.rb =================================================================== --- ruby_2_2/test/net/ftp/test_ftp.rb (revision 61245) +++ ruby_2_2/test/net/ftp/test_ftp.rb (revision 61246) @@ -2,6 +2,7 @@ require "net/ftp" https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/net/ftp/test_ftp.rb#L2 require "test/unit" require "ostruct" require "stringio" +require "tmpdir" class FTPTest < Test::Unit::TestCase SERVER_ADDR = "127.0.0.1" @@ -825,6 +826,227 @@ class FTPTest < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/net/ftp/test_ftp.rb#L826 end end + def test_getbinaryfile_command_injection + skip "| is not allowed in filename on Windows" if windows? + [false, true].each do |resume| + commands = [] + binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 + server = create_ftp_server { |sock| + sock.print("220 (test_ftp).\r\n") + commands.push(sock.gets) + sock.print("331 Please specify the password.\r\n") + commands.push(sock.gets) + sock.print("230 Login successful.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to Binary mode.\r\n") + line = sock.gets + commands.push(line) + host, port = process_port_or_eprt(sock, line) + commands.push(sock.gets) + sock.print("150 Opening BINARY mode data connection for |echo hello (#{binary_data.size} bytes)\r\n") + conn = TCPSocket.new(host, port) + binary_data.scan(/.{1,1024}/nm) do |s| + conn.print(s) + end + conn.shutdown(Socket::SHUT_WR) + conn.read + conn.close + sock.print("226 Transfer complete.\r\n") + } + begin + chdir_to_tmpdir do + begin + ftp = Net::FTP.new + ftp.resume = resume + ftp.read_timeout = 0.2 + ftp.connect(SERVER_ADDR, server.port) + ftp.login + assert_match(/\AUSER /, commands.shift) + assert_match(/\APASS /, commands.shift) + assert_equal("TYPE I\r\n", commands.shift) + ftp.getbinaryfile("|echo hello") + assert_equal(binary_data, File.binread("./|echo hello")) + assert_match(/\A(PORT|EPRT) /, commands.shift) + assert_equal("RETR |echo hello\r\n", commands.shift) + assert_equal(nil, commands.shift) + ensure + ftp.close if ftp + end + end + ensure + server.close + end + end + end + + def test_gettextfile_command_injection + skip "| is not allowed in filename on Windows" if windows? + commands = [] + text_data = <<EOF.gsub(/\n/, "\r\n") +foo +bar +baz +EOF + server = create_ftp_server { |sock| + sock.print("220 (test_ftp).\r\n") + commands.push(sock.gets) + sock.print("331 Please specify the password.\r\n") + commands.push(sock.gets) + sock.print("230 Login successful.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to Binary mode.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to ASCII mode.\r\n") + line = sock.gets + commands.push(line) + host, port = process_port_or_eprt(sock, line) + commands.push(sock.gets) + sock.print("150 Opening TEXT mode data connection for |echo hello (#{text_data.size} bytes)\r\n") + conn = TCPSocket.new(host, port) + text_data.each_line do |l| + conn.print(l) + end + conn.shutdown(Socket::SHUT_WR) + conn.read + conn.close + sock.print("226 Transfer complete.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to Binary mode.\r\n") + } + begin + chdir_to_tmpdir do + begin + ftp = Net::FTP.new + ftp.connect(SERVER_ADDR, server.port) + ftp.login + assert_match(/\AUSER /, commands.shift) + assert_match(/\APASS /, commands.shift) + assert_equal("TYPE I\r\n", commands.shift) + ftp.gettextfile("|echo hello") + assert_equal(text_data.gsub(/\r\n/, "\n"), + File.binread("./|echo hello")) + assert_equal("TYPE A\r\n", commands.shift) + assert_match(/\A(PORT|EPRT) /, commands.shift) + assert_equal("RETR |echo hello\r\n", commands.shift) + assert_equal("TYPE I\r\n", commands.shift) + assert_equal(nil, commands.shift) + ensure + ftp.close if ftp + end + end + ensure + server.close + end + end + + def test_putbinaryfile_command_injection + skip "| is not allowed in filename on Windows" if windows? + commands = [] + binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 + received_data = nil + server = create_ftp_server { |sock| + sock.print("220 (test_ftp).\r\n") + commands.push(sock.gets) + sock.print("331 Please specify the password.\r\n") + commands.push(sock.gets) + sock.print("230 Login successful.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to Binary mode.\r\n") + line = sock.gets + commands.push(line) + host, port = process_port_or_eprt(sock, line) + commands.push(sock.gets) + sock.print("150 Opening BINARY mode data connection for |echo hello (#{binary_data.size} bytes)\r\n") + conn = TCPSocket.new(host, port) + received_data = conn.read + conn.close + sock.print("226 Transfer complete.\r\n") + } + begin + chdir_to_tmpdir do + File.binwrite("./|echo hello", binary_data) + begin + ftp = Net::FTP.new + ftp.read_timeout = 0.2 + ftp.connect(SERVER_ADDR, server.port) + ftp.login + assert_match(/\AUSER /, commands.shift) + assert_match(/\APASS /, commands.shift) + assert_equal("TYPE I\r\n", commands.shift) + ftp.putbinaryfile("|echo hello") + assert_equal(binary_data, received_data) + assert_match(/\A(PORT|EPRT) /, commands.shift) + assert_equal("STOR |echo hello\r\n", commands.shift) + assert_equal(nil, commands.shift) + ensure + ftp.close if ftp + end + end + ensure + server.close + end + end + + def test_puttextfile_command_injection + skip "| is not allowed in filename on Windows" if windows? + commands = [] + received_data = nil + server = create_ftp_server { |sock| + sock.print("220 (test_ftp).\r\n") + commands.push(sock.gets) + sock.print("331 Please specify the password.\r\n") + commands.push(sock.gets) + sock.print("230 Login successful.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to Binary mode.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to ASCII mode.\r\n") + line = sock.gets + commands.push(line) + host, port = process_port_or_eprt(sock, line) + commands.push(sock.gets) + sock.print("150 Opening TEXT mode data connection for |echo hello\r\n") + conn = TCPSocket.new(host, port) + received_data = conn.read + conn.close + sock.print("226 Transfer complete.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to Binary mode.\r\n") + } + begin + chdir_to_tmpdir do + File.open("|echo hello", "w") do |f| + f.puts("foo") + f.puts("bar") + f.puts("baz") + end + begin + ftp = Net::FTP.new + ftp.connect(SERVER_ADDR, server.port) + ftp.login + assert_match(/\AUSER /, commands.shift) + assert_match(/\APASS /, commands.shift) + assert_equal("TYPE I\r\n", commands.shift) + ftp.puttextfile("|echo hello") + assert_equal(<<EOF.gsub(/\n/, "\r\n"), received_data) +foo +bar +baz +EOF + assert_equal("TYPE A\r\n", commands.shift) + assert_match(/\A(PORT|EPRT) /, commands.shift) + assert_equal("STOR |echo hello\r\n", commands.shift) + assert_equal("TYPE I\r\n", commands.shift) + assert_equal(nil, commands.shift) + ensure + ftp.close if ftp + end + end + ensure + server.close + end + end + private def create_ftp_server(sleep_time = nil) @@ -847,4 +1069,16 @@ class FTPTest < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/net/ftp/test_ftp.rb#L1069 end return server end + + def chdir_to_tmpdir + Dir.mktmpdir do |dir| + pwd = Dir.pwd + Dir.chdir(dir) + begin + yield + ensure + Dir.chdir(pwd) + end + end + end end Index: ruby_2_2 =================================================================== --- ruby_2_2 (revision 61245) +++ ruby_2_2 (revision 61246) Property changes on: ruby_2_2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /trunk:r61242 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/