* string.c (rb_str_intern): prohibit interning tainted string.

git-svn-id: http://svn.ruby-lang.org/repos/ruby/branches/ruby_1_8@10916 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
FooBarWidget · Sep 13, 2006 · c008583 · c008583
1 parent fb303ec
commit c008583
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 13 deletions.
diff --git a/.cvsignore b/.cvsignore
@@ -8,6 +8,7 @@
 .ext
 .git
 .svn
+.pc
 .rbconfig.time
 COPYING.LIB
 ChangeLog.pre-alpha
@@ -26,32 +27,20 @@ config.h.in
 config.log
 config.status
 configure
-foo.rb
 libruby.so.*
 miniruby
-miniruby.elhash
-miniruby.elhash2
-miniruby.orig2
-miniruby.plhash
-miniruby.plhash2
-modex.rb
 newdate.rb
 newver.rb
 parse.c
-parse.y.try
-pitest.rb
+patches
 ppack
 preview
 rbconfig.rb
-rename2.h
 repack
 riscos
 rubicon
 ruby
 ruby-man.rd.gz
-rubyunit
-st.c.power
-this that
 tmp
 web
 y.output

diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+Wed Sep 13 16:43:36 2006  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* string.c (rb_str_intern): prohibit interning tainted string.
+
 Wed Sep 13 01:14:21 2006  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* lib/optparse.rb (OptionParser#getopts): works with pre-registered

diff --git a/string.c b/string.c
@@ -4404,6 +4404,9 @@ rb_str_intern(s)
     }
     if (strlen(RSTRING(str)->ptr) != RSTRING(str)->len)
 	rb_raise(rb_eArgError, "symbol string may not contain `\\0'");
+    if (OBJ_TAINTED(str)) {
+	rb_raise(rb_eSecurityError, "Insecure: can't intern tainted string");
+    }
     id = rb_intern(RSTRING(str)->ptr);
     return ID2SYM(id);
 }