ruby-changes:65792
From: Nobuyoshi <ko1@a...>
Date: Mon, 5 Apr 2021 21:09:26 +0900 (JST)
Subject: [ruby-changes:65792] 4b6fa03a72 (master): [ruby/tmpdir] Make usable chars more strict
https://git.ruby-lang.org/ruby.git/commit/?id=4b6fa03a72 From 4b6fa03a72b23fa03a8f37cbfdcad3f0251832cf Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada <nobu@r...> Date: Thu, 1 Apr 2021 01:17:45 +0900 Subject: [ruby/tmpdir] Make usable chars more strict Remove other than alphanumeric and some punctuations considered filesystem-safe, instead of removing some unsafe chars only. https://hackerone.com/reports/1131465 https://github.com/ruby/tmpdir/commit/adf294bc2d --- lib/tmpdir.rb | 2 +- test/test_tmpdir.rb | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/tmpdir.rb b/lib/tmpdir.rb index 0b1f00a..bf7db52 100644 --- a/lib/tmpdir.rb +++ b/lib/tmpdir.rb @@ -115,7 +115,7 @@ class Dir https://github.com/ruby/ruby/blob/trunk/lib/tmpdir.rb#L115 Dir.tmpdir end - UNUSABLE_CHARS = [File::SEPARATOR, File::ALT_SEPARATOR, File::PATH_SEPARATOR, ":"].uniq.join("").freeze + UNUSABLE_CHARS = "^,-.0-9A-Z_a-z~" class << (RANDOM = Random.new) MAX = 36**6 # < 0x100000000 diff --git a/test/test_tmpdir.rb b/test/test_tmpdir.rb index c56fd5f..7ef9f59 100644 --- a/test/test_tmpdir.rb +++ b/test/test_tmpdir.rb @@ -97,8 +97,10 @@ class TestTmpdir < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/test_tmpdir.rb#L97 target = target.chomp('/') + '/' traversal_path = target.sub(/\A\w:/, '') # for DOSISH traversal_path = Array.new(target.count('/')-2, '..').join('/') + traversal_path - actual = yield traversal_path - assert_not_send([File.absolute_path(actual), :start_with?, target]) + [File::SEPARATOR, File::ALT_SEPARATOR].compact.each do |separator| + actual = yield traversal_path.tr('/', separator) + assert_not_send([File.absolute_path(actual), :start_with?, target]) + end end end end -- cgit v1.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/