Merge branch 'copy_on_write' into zero_copy_context_switch

FooBarWidget · Feb 19, 2011 · 9be15bb · 9be15bb
2 parents 9d7a0ee + a3b876c
commit 9be15bb
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 40 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,37 @@
+Fri Feb 18 21:18:55 2011  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
+	  Test for below.
+
+Fri Feb 18 21:18:55 2011  URABE Shyouhei  <shyouhei@ruby-lang.org>
+
+	* error.c (exc_to_s): untainted strings can be tainted via
+	  Exception#to_s, which enables attackers to overwrite sane strings.
+	  Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
+
+	* error.c (name_err_to_s): ditto.
+
+Fri Feb 18 21:17:22 2011  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
+	  race condition in the case where the given path is a directory,
+	  and some other user can move that directory, and create a
+	  symlink while this method is executing.
+	  Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>
+
+Fri Feb 18 19:46:46 2011  NAKAMURA Usaku  <usa@ruby-lang.org>
+
+	* win32/win32.c (init_stdhandle): backport mistake of r29382.
+	  some code are needless in ruby 1.8.
+	  [ruby-core:34579]
+
+Fri Feb 18 19:22:17 2011  URABE Shyouhei  <shyouhei@ruby-lang.org>
+
+	* configure.in: revert revision r29854.  This revision introduced
+	  binary incompatibilities on some circumstances.  The bug that
+	  revision was fixing gets reopened by this reversion.
+	  [ruby-dev:43152] cf. [Bug #2553]
+
 Thu Dec 23 12:22:35 2010  Tanaka Akira  <akr@fsij.org>
 
 	* lib/resolv.rb (Resolv::IPv4::Regex): make it only accept 0 to 255.

diff --git a/configure.in b/configure.in
@@ -540,7 +540,7 @@ AC_CHECK_HEADERS(stdlib.h string.h unistd.h limits.h sys/file.h sys/ioctl.h sys/
 		 fcntl.h sys/fcntl.h sys/select.h sys/time.h sys/times.h sys/param.h\
 		 syscall.h pwd.h grp.h a.out.h utime.h memory.h direct.h sys/resource.h \
 		 sys/mkdev.h sys/utime.h netinet/in_systm.h float.h ieeefp.h pthread.h \
-		 intrinsics.h time.h)
+		 ucontext.h intrinsics.h time.h)
 
 dnl Check additional types.
 AC_CHECK_SIZEOF(rlim_t, 0, [
@@ -1103,22 +1103,8 @@ if test x"$enable_pthread" = xyes; then
        fi
     fi
 fi
-
-use_context=no
-if test x"$rb_with_pthread" = xyes; then
-    AS_CASE("$target_cpu:$target_os:$cross_compiling",
-    [*:linux*:no], [
-        if test -n "`(/lib/libc.so.6 2>/dev/null | fgrep 'linuxthreads') 2> /dev/null`"; then
-	    use_context=yes
-	fi
-    ],
-    [sparc*], [
-    	use_context=yes
-    ])
-fi
-if test x"$use_context" = xyes; then
-    AC_CHECK_HEADERS(ucontext.h)
-    if test x"$ac_cv_header_ucontext_h" = xyes; then
+if test x"$ac_cv_header_ucontext_h" = xyes; then
+    if test x"$rb_with_pthread" = xyes; then
 	AC_CHECK_FUNCS(getcontext setcontext)
     fi
 fi

diff --git a/error.c b/error.c
@@ -403,7 +403,6 @@ exc_to_s(exc)
     VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
 
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
     return mesg;
 }
 
@@ -667,10 +666,9 @@ name_err_to_s(exc)
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
     StringValue(str);
     if (str != mesg) {
-	rb_iv_set(exc, "mesg", mesg = str);
+	OBJ_INFECT(str, mesg);
     }
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
-    return mesg;
+    return str;
 }
 
 /*

diff --git a/lib/fileutils.rb b/lib/fileutils.rb
@@ -658,10 +658,10 @@ def rm_rf(list, options = {})
   # removing directories.  This requires the current process is the
   # owner of the removing whole directory tree, or is the super user (root).
   #
-  # WARNING: You must ensure that *ALL* parent directories are not
-  # world writable.  Otherwise this method does not work.
-  # Only exception is temporary directory like /tmp and /var/tmp,
-  # whose permission is 1777.
+  # WARNING: You must ensure that *ALL* parent directories cannot be
+  # moved by other untrusted users.  For example, parent directories
+  # should not be owned by untrusted users, and should not be world
+  # writable except when the sticky bit set.
   #
   # WARNING: Only the owner of the removing directory tree, or Unix super
   # user (root) should invoke this method.  Otherwise this method does not
@@ -704,6 +704,11 @@ def remove_entry_secure(path, force = false)
       end
       f.chown euid, -1
       f.chmod 0700
+      unless fu_stat_identical_entry?(st, File.lstat(fullpath))
+        # TOC-to-TOU attack?
+        File.unlink fullpath
+        return
+      end
     }
     # ---- tree root is frozen ----
     root = Entry_.new(path)

diff --git a/test/ruby/test_exception.rb b/test/ruby/test_exception.rb
@@ -184,4 +184,26 @@ def test_else
       assert(false)
     end
   end
+
+  def test_to_s_taintness_propagation
+    for exc in [Exception, NameError]
+      m = "abcdefg"
+      e = exc.new(m)
+      e.taint
+      s = e.to_s
+      assert_equal(false, m.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+      assert_equal(false, s.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+    end
+
+    o = Object.new
+    def o.to_str
+      "foo"
+    end
+    o.taint
+    e = NameError.new(o)
+    s = e.to_s
+    assert_equal(true, s.tainted?)
+  end
 end
diff --git a/version.h b/version.h
@@ -1,15 +1,15 @@
 #define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2010-12-23"
+#define RUBY_RELEASE_DATE "2011-02-18"
 #define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20101223
-#define RUBY_PATCHLEVEL 330
+#define RUBY_RELEASE_CODE 20110218
+#define RUBY_PATCHLEVEL 334
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
 #define RUBY_VERSION_TEENY 7
-#define RUBY_RELEASE_YEAR 2010
-#define RUBY_RELEASE_MONTH 12
-#define RUBY_RELEASE_DAY 23
+#define RUBY_RELEASE_YEAR 2011
+#define RUBY_RELEASE_MONTH 2
+#define RUBY_RELEASE_DAY 18
 
 #ifdef RUBY_EXTERN
 RUBY_EXTERN const char ruby_version[];

diff --git a/win32/win32.c b/win32/win32.c
@@ -1894,21 +1894,12 @@ init_stdhandle(void)
     if (fileno(stdin) < 0) {
 	stdin->_file = open_null(0);
     }
-    else {
-	setmode(fileno(stdin), O_BINARY);
-    }
     if (fileno(stdout) < 0) {
 	stdout->_file = open_null(1);
     }
-    else {
-	setmode(fileno(stdout), O_BINARY);
-    }
     if (fileno(stderr) < 0) {
 	stderr->_file = open_null(2);
     }
-    else {
-	setmode(fileno(stderr), O_BINARY);
-    }
     if (nullfd >= 0 && !keep) close(nullfd);
     setvbuf(stderr, NULL, _IONBF, 0);
 }