merge revision(s) 30903:

shyouhei · shyouhei · commit 03022c9d9f68 · 2011-02-18T12:32:35.000Z
* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
	  Test for below.
	* error.c (exc_to_s): untainted strings can be tainted via
	  Exception#to_s, which enables attackers to overwrite sane strings.
	  Reported by: Yusuke Endoh &lt;mame at tsg.ne.jp&gt;.
	* error.c (name_err_to_s): ditto.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@30911 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,16 @@
+Fri Feb 18 21:18:55 2011  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
+	  Test for below.
+
+Fri Feb 18 21:18:55 2011  URABE Shyouhei  <shyouhei@ruby-lang.org>
+
+	* error.c (exc_to_s): untainted strings can be tainted via
+	  Exception#to_s, which enables attackers to overwrite sane strings.
+	  Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
+
+	* error.c (name_err_to_s): ditto.
+
 Fri Feb 18 21:17:22 2011  Shugo Maeda  <shugo@ruby-lang.org>
 
 	* lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
diff --git a/error.c b/error.c
@@ -403,7 +403,6 @@ exc_to_s(exc)
     VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
 
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
     return mesg;
 }
 
@@ -667,10 +666,9 @@ name_err_to_s(exc)
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
     StringValue(str);
     if (str != mesg) {
-	rb_iv_set(exc, "mesg", mesg = str);
+	OBJ_INFECT(str, mesg);
     }
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
-    return mesg;
+    return str;
 }
 
 /*
diff --git a/test/ruby/test_exception.rb b/test/ruby/test_exception.rb
@@ -184,4 +184,26 @@ def test_else
       assert(false)
     end
   end
+
+  def test_to_s_taintness_propagation
+    for exc in [Exception, NameError]
+      m = "abcdefg"
+      e = exc.new(m)
+      e.taint
+      s = e.to_s
+      assert_equal(false, m.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+      assert_equal(false, s.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+    end
+    
+    o = Object.new
+    def o.to_str
+      "foo"
+    end
+    o.taint
+    e = NameError.new(o)
+    s = e.to_s
+    assert_equal(true, s.tainted?)
+  end
 end
diff --git a/version.h b/version.h
@@ -2,7 +2,7 @@
 #define RUBY_RELEASE_DATE "2011-02-18"
 #define RUBY_VERSION_CODE 187
 #define RUBY_RELEASE_CODE 20110218
-#define RUBY_PATCHLEVEL 333
+#define RUBY_PATCHLEVEL 334
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8

Original file line number	Diff line number	Diff line change
`@@ -403,7 +403,6 @@ exc_to_s(exc)`
`403`	`403`	`VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));`
`404`	`404`
`405`	`405`	`if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));`
`406`		`- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);`
`407`	`406`	`return mesg;`
`408`	`407`	`}`
`409`	`408`
`@@ -667,10 +666,9 @@ name_err_to_s(exc)`
`667`	`666`	`if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));`
`668`	`667`	`StringValue(str);`
`669`	`668`	`if (str != mesg) {`
`670`		`- rb_iv_set(exc, "mesg", mesg = str);`
	`669`	`+ OBJ_INFECT(str, mesg);`
`671`	`670`	`}`
`672`		`- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);`
`673`		`- return mesg;`
	`671`	`+ return str;`
`674`	`672`	`}`
`675`	`673`
`676`	`674`	`/*`