Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Merge branch 'copy_on_write' into zero_copy_context_switch

  • Loading branch information...
commit 9be15bbbedfcecaad6a1a62783287d85e533e9b9 2 parents 9d7a0ee + a3b876c
Hongli Lai authored February 19, 2011
34  ChangeLog
... ...
@@ -1,3 +1,37 @@
  1
+Fri Feb 18 21:18:55 2011  Shugo Maeda  <shugo@ruby-lang.org>
  2
+
  3
+	* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
  4
+	  Test for below.
  5
+
  6
+Fri Feb 18 21:18:55 2011  URABE Shyouhei  <shyouhei@ruby-lang.org>
  7
+
  8
+	* error.c (exc_to_s): untainted strings can be tainted via
  9
+	  Exception#to_s, which enables attackers to overwrite sane strings.
  10
+	  Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
  11
+
  12
+	* error.c (name_err_to_s): ditto.
  13
+
  14
+Fri Feb 18 21:17:22 2011  Shugo Maeda  <shugo@ruby-lang.org>
  15
+
  16
+	* lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
  17
+	  race condition in the case where the given path is a directory,
  18
+	  and some other user can move that directory, and create a
  19
+	  symlink while this method is executing.
  20
+	  Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>
  21
+
  22
+Fri Feb 18 19:46:46 2011  NAKAMURA Usaku  <usa@ruby-lang.org>
  23
+
  24
+	* win32/win32.c (init_stdhandle): backport mistake of r29382.
  25
+	  some code are needless in ruby 1.8.
  26
+	  [ruby-core:34579]
  27
+
  28
+Fri Feb 18 19:22:17 2011  URABE Shyouhei  <shyouhei@ruby-lang.org>
  29
+
  30
+	* configure.in: revert revision r29854.  This revision introduced
  31
+	  binary incompatibilities on some circumstances.  The bug that
  32
+	  revision was fixing gets reopened by this reversion.
  33
+	  [ruby-dev:43152] cf. [Bug #2553]
  34
+
1 35
 Thu Dec 23 12:22:35 2010  Tanaka Akira  <akr@fsij.org>
2 36
 
3 37
 	* lib/resolv.rb (Resolv::IPv4::Regex): make it only accept 0 to 255.
20  configure.in
@@ -540,7 +540,7 @@ AC_CHECK_HEADERS(stdlib.h string.h unistd.h limits.h sys/file.h sys/ioctl.h sys/
540 540
 		 fcntl.h sys/fcntl.h sys/select.h sys/time.h sys/times.h sys/param.h\
541 541
 		 syscall.h pwd.h grp.h a.out.h utime.h memory.h direct.h sys/resource.h \
542 542
 		 sys/mkdev.h sys/utime.h netinet/in_systm.h float.h ieeefp.h pthread.h \
543  
-		 intrinsics.h time.h)
  543
+		 ucontext.h intrinsics.h time.h)
544 544
 
545 545
 dnl Check additional types.
546 546
 AC_CHECK_SIZEOF(rlim_t, 0, [
@@ -1103,22 +1103,8 @@ if test x"$enable_pthread" = xyes; then
1103 1103
        fi
1104 1104
     fi
1105 1105
 fi
1106  
-
1107  
-use_context=no
1108  
-if test x"$rb_with_pthread" = xyes; then
1109  
-    AS_CASE("$target_cpu:$target_os:$cross_compiling",
1110  
-    [*:linux*:no], [
1111  
-        if test -n "`(/lib/libc.so.6 2>/dev/null | fgrep 'linuxthreads') 2> /dev/null`"; then
1112  
-	    use_context=yes
1113  
-	fi
1114  
-    ],
1115  
-    [sparc*], [
1116  
-    	use_context=yes
1117  
-    ])
1118  
-fi
1119  
-if test x"$use_context" = xyes; then
1120  
-    AC_CHECK_HEADERS(ucontext.h)
1121  
-    if test x"$ac_cv_header_ucontext_h" = xyes; then
  1106
+if test x"$ac_cv_header_ucontext_h" = xyes; then
  1107
+    if test x"$rb_with_pthread" = xyes; then
1122 1108
 	AC_CHECK_FUNCS(getcontext setcontext)
1123 1109
     fi
1124 1110
 fi
6  error.c
@@ -403,7 +403,6 @@ exc_to_s(exc)
403 403
     VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
404 404
 
405 405
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
406  
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
407 406
     return mesg;
408 407
 }
409 408
 
@@ -667,10 +666,9 @@ name_err_to_s(exc)
667 666
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
668 667
     StringValue(str);
669 668
     if (str != mesg) {
670  
-	rb_iv_set(exc, "mesg", mesg = str);
  669
+	OBJ_INFECT(str, mesg);
671 670
     }
672  
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
673  
-    return mesg;
  671
+    return str;
674 672
 }
675 673
 
676 674
 /*
13  lib/fileutils.rb
@@ -658,10 +658,10 @@ def rm_rf(list, options = {})
658 658
   # removing directories.  This requires the current process is the
659 659
   # owner of the removing whole directory tree, or is the super user (root).
660 660
   #
661  
-  # WARNING: You must ensure that *ALL* parent directories are not
662  
-  # world writable.  Otherwise this method does not work.
663  
-  # Only exception is temporary directory like /tmp and /var/tmp,
664  
-  # whose permission is 1777.
  661
+  # WARNING: You must ensure that *ALL* parent directories cannot be
  662
+  # moved by other untrusted users.  For example, parent directories
  663
+  # should not be owned by untrusted users, and should not be world
  664
+  # writable except when the sticky bit set.
665 665
   #
666 666
   # WARNING: Only the owner of the removing directory tree, or Unix super
667 667
   # user (root) should invoke this method.  Otherwise this method does not
@@ -704,6 +704,11 @@ def remove_entry_secure(path, force = false)
704 704
       end
705 705
       f.chown euid, -1
706 706
       f.chmod 0700
  707
+      unless fu_stat_identical_entry?(st, File.lstat(fullpath))
  708
+        # TOC-to-TOU attack?
  709
+        File.unlink fullpath
  710
+        return
  711
+      end
707 712
     }
708 713
     # ---- tree root is frozen ----
709 714
     root = Entry_.new(path)
22  test/ruby/test_exception.rb
@@ -184,4 +184,26 @@ def test_else
184 184
       assert(false)
185 185
     end
186 186
   end
  187
+
  188
+  def test_to_s_taintness_propagation
  189
+    for exc in [Exception, NameError]
  190
+      m = "abcdefg"
  191
+      e = exc.new(m)
  192
+      e.taint
  193
+      s = e.to_s
  194
+      assert_equal(false, m.tainted?,
  195
+                   "#{exc}#to_s should not propagate taintness")
  196
+      assert_equal(false, s.tainted?,
  197
+                   "#{exc}#to_s should not propagate taintness")
  198
+    end
  199
+    
  200
+    o = Object.new
  201
+    def o.to_str
  202
+      "foo"
  203
+    end
  204
+    o.taint
  205
+    e = NameError.new(o)
  206
+    s = e.to_s
  207
+    assert_equal(true, s.tainted?)
  208
+  end
187 209
 end
12  version.h
... ...
@@ -1,15 +1,15 @@
1 1
 #define RUBY_VERSION "1.8.7"
2  
-#define RUBY_RELEASE_DATE "2010-12-23"
  2
+#define RUBY_RELEASE_DATE "2011-02-18"
3 3
 #define RUBY_VERSION_CODE 187
4  
-#define RUBY_RELEASE_CODE 20101223
5  
-#define RUBY_PATCHLEVEL 330
  4
+#define RUBY_RELEASE_CODE 20110218
  5
+#define RUBY_PATCHLEVEL 334
6 6
 
7 7
 #define RUBY_VERSION_MAJOR 1
8 8
 #define RUBY_VERSION_MINOR 8
9 9
 #define RUBY_VERSION_TEENY 7
10  
-#define RUBY_RELEASE_YEAR 2010
11  
-#define RUBY_RELEASE_MONTH 12
12  
-#define RUBY_RELEASE_DAY 23
  10
+#define RUBY_RELEASE_YEAR 2011
  11
+#define RUBY_RELEASE_MONTH 2
  12
+#define RUBY_RELEASE_DAY 18
13 13
 
14 14
 #ifdef RUBY_EXTERN
15 15
 RUBY_EXTERN const char ruby_version[];
9  win32/win32.c
@@ -1894,21 +1894,12 @@ init_stdhandle(void)
1894 1894
     if (fileno(stdin) < 0) {
1895 1895
 	stdin->_file = open_null(0);
1896 1896
     }
1897  
-    else {
1898  
-	setmode(fileno(stdin), O_BINARY);
1899  
-    }
1900 1897
     if (fileno(stdout) < 0) {
1901 1898
 	stdout->_file = open_null(1);
1902 1899
     }
1903  
-    else {
1904  
-	setmode(fileno(stdout), O_BINARY);
1905  
-    }
1906 1900
     if (fileno(stderr) < 0) {
1907 1901
 	stderr->_file = open_null(2);
1908 1902
     }
1909  
-    else {
1910  
-	setmode(fileno(stderr), O_BINARY);
1911  
-    }
1912 1903
     if (nullfd >= 0 && !keep) close(nullfd);
1913 1904
     setvbuf(stderr, NULL, _IONBF, 0);
1914 1905
 }

0 notes on commit 9be15bb

Please sign in to comment.
Something went wrong with that request. Please try again.