[前][次][番号順一覧][スレッド一覧]

ruby-changes:49235

From: nobu <ko1@a...>
Date: Wed, 20 Dec 2017 13:25:05 +0900 (JST)
Subject: [ruby-changes:49235] nobu:r61351 (trunk): Fixed command Injection

nobu	2017-12-20 13:25:01 +0900 (Wed, 20 Dec 2017)

  New Revision: 61351

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=61351

  Log:
    Fixed command Injection
    
    * lib/resolv.rb (Resolv::Config.parse_resolv_conf): fixed
      potential command injection by use of Kernel#open.
      [ruby-core:84347] [Bug #14205]

  Modified files:
    trunk/lib/resolv.rb
    trunk/test/resolv/test_addr.rb
    trunk/test/resolv/test_dns.rb
Index: test/resolv/test_dns.rb
===================================================================
--- test/resolv/test_dns.rb	(revision 61350)
+++ test/resolv/test_dns.rb	(revision 61351)
@@ -179,6 +179,16 @@ class TestResolvDNS < Test::Unit::TestCa https://github.com/ruby/ruby/blob/trunk/test/resolv/test_dns.rb#L179
     end
   end
 
+  def test_resolv_conf_by_command
+    Dir.mktmpdir do |dir|
+      Dir.chdir(dir) do
+        assert_raise(Errno::ENOENT) do
+          Resolv::DNS::Config.parse_resolv_conf("|echo foo")
+        end
+      end
+    end
+  end
+
   def test_dots_diffences
     name1 = Resolv::DNS::Name.create("example.org")
     name2 = Resolv::DNS::Name.create("ex.ampl.eo.rg")
Index: test/resolv/test_addr.rb
===================================================================
--- test/resolv/test_addr.rb	(revision 61350)
+++ test/resolv/test_addr.rb	(revision 61351)
@@ -27,4 +27,15 @@ class TestResolvAddr < Test::Unit::TestC https://github.com/ruby/ruby/blob/trunk/test/resolv/test_addr.rb#L27
       end
     end
   end
+
+  def test_hosts_by_command
+    Dir.mktmpdir do |dir|
+      Dir.chdir(dir) do
+        hosts = Resolv::Hosts.new("|echo error")
+        assert_raise(Errno::ENOENT) do
+          hosts.each_name("") {}
+        end
+      end
+    end
+  end
 end
Index: lib/resolv.rb
===================================================================
--- lib/resolv.rb	(revision 61350)
+++ lib/resolv.rb	(revision 61351)
@@ -928,7 +928,7 @@ class Resolv https://github.com/ruby/ruby/blob/trunk/lib/resolv.rb#L928
         nameserver = []
         search = nil
         ndots = 1
-        open(filename, 'rb') {|f|
+        File.open(filename, 'rb') {|f|
           f.each {|line|
             line.sub!(/[#;].*/, '')
             keyword, *args = line.split(/\s+/)

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]