https://git.ruby-lang.org/ruby.git/commit/?id=3b97a6496f

From 3b97a6496f35efbc6aef9aef2bd1fe87e6b5d158 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@r...>
Date: Thu, 1 Apr 2021 01:17:45 +0900
Subject: Make usable chars more strict

Remove other than alphanumeric and some punctuations considered
filesystem-safe, instead of removing some unsafe chars only.

https://hackerone.com/reports/1131465
---
 lib/tmpdir.rb       | 2 +-
 test/test_tmpdir.rb | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/tmpdir.rb b/lib/tmpdir.rb
index 0b1f00a..bf7db52 100644
--- a/lib/tmpdir.rb
+++ b/lib/tmpdir.rb
@@ -115,7 +115,7 @@ class Dir https://github.com/ruby/ruby/blob/trunk/lib/tmpdir.rb#L115
       Dir.tmpdir
     end
 
-    UNUSABLE_CHARS = [File::SEPARATOR, File::ALT_SEPARATOR, File::PATH_SEPARATOR, ":"].uniq.join("").freeze
+    UNUSABLE_CHARS = "^,-.0-9A-Z_a-z~"
 
     class << (RANDOM = Random.new)
       MAX = 36**6 # < 0x100000000
diff --git a/test/test_tmpdir.rb b/test/test_tmpdir.rb
index c56fd5f..7ef9f59 100644
--- a/test/test_tmpdir.rb
+++ b/test/test_tmpdir.rb
@@ -97,8 +97,10 @@ class TestTmpdir < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/test_tmpdir.rb#L97
       target = target.chomp('/') + '/'
       traversal_path = target.sub(/\A\w:/, '') # for DOSISH
       traversal_path = Array.new(target.count('/')-2, '..').join('/') + traversal_path
-      actual = yield traversal_path
-      assert_not_send([File.absolute_path(actual), :start_with?, target])
+      [File::SEPARATOR, File::ALT_SEPARATOR].compact.each do |separator|
+        actual = yield traversal_path.tr('/', separator)
+        assert_not_send([File.absolute_path(actual), :start_with?, target])
+      end
     end
   end
 end
-- 
cgit v1.1


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/