ruby-changes:73756
From: Jeremy <ko1@a...>
Date: Wed, 28 Sep 2022 17:26:19 +0900 (JST)
Subject: [ruby-changes:73756] cd77e71bba (master): [ruby/net-http] Remove ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE
https://git.ruby-lang.org/ruby.git/commit/?id=cd77e71bba From cd77e71bbac9616a906f6823a8eba4922821e9ad Mon Sep 17 00:00:00 2001 From: Jeremy Evans <code@j...> Date: Wed, 24 Aug 2022 11:38:17 -0700 Subject: [ruby/net-http] Remove ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE This list is out of date. At least OpenBSD since 2013 does not allow one user to read the environment variables of a process run by another user. While we could try to keep the list updated, I think it's a bad idea to not use the user/password from the environment, even if another user on the system could read it. If http_proxy exists in the environment, and other users can read it, it doesn't make it more secure for Ruby to ignore it. You could argue that it encourages poor security practices, but net/http should provide mechanism, not policy. Fixes [Bug #18908] https://github.com/ruby/net-http/commit/1e4585153d --- lib/net/http.rb | 11 ++--------- test/net/http/test_http.rb | 18 ++++-------------- 2 files changed, 6 insertions(+), 23 deletions(-) diff --git a/lib/net/http.rb b/lib/net/http.rb index a583441253..7e89409c1b 100644 --- a/lib/net/http.rb +++ b/lib/net/http.rb @@ -1221,16 +1221,9 @@ module Net #:nodoc: https://github.com/ruby/ruby/blob/trunk/lib/net/http.rb#L1221 end end - # [Bug #12921] - if /linux|freebsd|darwin/ =~ RUBY_PLATFORM - ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE = true - else - ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE = false - end - # The username of the proxy server, if one is configured. def proxy_user - if ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE && @proxy_from_env + if @proxy_from_env user = proxy_uri&.user unescape(user) if user else @@ -1240,7 +1233,7 @@ module Net #:nodoc: https://github.com/ruby/ruby/blob/trunk/lib/net/http.rb#L1233 # The password of the proxy server, if one is configured. def proxy_pass - if ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE && @proxy_from_env + if @proxy_from_env pass = proxy_uri&.password unescape(pass) if pass else diff --git a/test/net/http/test_http.rb b/test/net/http/test_http.rb index e9471273f4..0508645ac5 100644 --- a/test/net/http/test_http.rb +++ b/test/net/http/test_http.rb @@ -178,13 +178,8 @@ class TestNetHTTP < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/net/http/test_http.rb#L178 http = Net::HTTP.new 'hostname.example' assert_equal true, http.proxy? - if Net::HTTP::ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE - assert_equal 'foo', http.proxy_user - assert_equal 'bar', http.proxy_pass - else - assert_nil http.proxy_user - assert_nil http.proxy_pass - end + assert_equal 'foo', http.proxy_user + assert_equal 'bar', http.proxy_pass end end @@ -195,13 +190,8 @@ class TestNetHTTP < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/net/http/test_http.rb#L190 http = Net::HTTP.new 'hostname.example' assert_equal true, http.proxy? - if Net::HTTP::ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE - assert_equal "Y\\X", http.proxy_user - assert_equal "R%S] ?X", http.proxy_pass - else - assert_nil http.proxy_user - assert_nil http.proxy_pass - end + assert_equal "Y\\X", http.proxy_user + assert_equal "R%S] ?X", http.proxy_pass end end -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/