Permalink
Browse files

Merge remote branch 'upstream/v1_8_7_334'

  • Loading branch information...
2 parents 0fc5c2f + ba25f28 commit e1b23fe185dcab3116da7b819e1f5b4e6e2f7b03 @FooBarWidget FooBarWidget committed Feb 19, 2011
Showing with 76 additions and 40 deletions.
  1. +34 −0 ChangeLog
  2. +3 −17 configure.in
  3. +2 −4 error.c
  4. +9 −4 lib/fileutils.rb
  5. +22 −0 test/ruby/test_exception.rb
  6. +6 −6 version.h
  7. +0 −9 win32/win32.c
View
34 ChangeLog
@@ -1,3 +1,37 @@
+Fri Feb 18 21:18:55 2011 Shugo Maeda <shugo@ruby-lang.org>
+
+ * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
+ Test for below.
+
+Fri Feb 18 21:18:55 2011 URABE Shyouhei <shyouhei@ruby-lang.org>
+
+ * error.c (exc_to_s): untainted strings can be tainted via
+ Exception#to_s, which enables attackers to overwrite sane strings.
+ Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
+
+ * error.c (name_err_to_s): ditto.
+
+Fri Feb 18 21:17:22 2011 Shugo Maeda <shugo@ruby-lang.org>
+
+ * lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
+ race condition in the case where the given path is a directory,
+ and some other user can move that directory, and create a
+ symlink while this method is executing.
+ Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>
+
+Fri Feb 18 19:46:46 2011 NAKAMURA Usaku <usa@ruby-lang.org>
+
+ * win32/win32.c (init_stdhandle): backport mistake of r29382.
+ some code are needless in ruby 1.8.
+ [ruby-core:34579]
+
+Fri Feb 18 19:22:17 2011 URABE Shyouhei <shyouhei@ruby-lang.org>
+
+ * configure.in: revert revision r29854. This revision introduced
+ binary incompatibilities on some circumstances. The bug that
+ revision was fixing gets reopened by this reversion.
+ [ruby-dev:43152] cf. [Bug #2553]
+
Thu Dec 23 12:22:35 2010 Tanaka Akira <akr@fsij.org>
* lib/resolv.rb (Resolv::IPv4::Regex): make it only accept 0 to 255.
View
20 configure.in
@@ -522,7 +522,7 @@ AC_CHECK_HEADERS(stdlib.h string.h unistd.h limits.h sys/file.h sys/ioctl.h sys/
fcntl.h sys/fcntl.h sys/select.h sys/time.h sys/times.h sys/param.h\
syscall.h pwd.h grp.h a.out.h utime.h memory.h direct.h sys/resource.h \
sys/mkdev.h sys/utime.h netinet/in_systm.h float.h ieeefp.h pthread.h \
- intrinsics.h time.h)
+ ucontext.h intrinsics.h time.h)
dnl Check additional types.
AC_CHECK_SIZEOF(rlim_t, 0, [
@@ -1085,22 +1085,8 @@ if test x"$enable_pthread" = xyes; then
fi
fi
fi
-
-use_context=no
-if test x"$rb_with_pthread" = xyes; then
- AS_CASE("$target_cpu:$target_os:$cross_compiling",
- [*:linux*:no], [
- if test -n "`(/lib/libc.so.6 2>/dev/null | fgrep 'linuxthreads') 2> /dev/null`"; then
- use_context=yes
- fi
- ],
- [sparc*], [
- use_context=yes
- ])
-fi
-if test x"$use_context" = xyes; then
- AC_CHECK_HEADERS(ucontext.h)
- if test x"$ac_cv_header_ucontext_h" = xyes; then
+if test x"$ac_cv_header_ucontext_h" = xyes; then
+ if test x"$rb_with_pthread" = xyes; then
AC_CHECK_FUNCS(getcontext setcontext)
fi
fi
View
6 error.c
@@ -403,7 +403,6 @@ exc_to_s(exc)
VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
return mesg;
}
@@ -667,10 +666,9 @@ name_err_to_s(exc)
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
StringValue(str);
if (str != mesg) {
- rb_iv_set(exc, "mesg", mesg = str);
+ OBJ_INFECT(str, mesg);
}
- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
- return mesg;
+ return str;
}
/*
View
13 lib/fileutils.rb
@@ -658,10 +658,10 @@ def rm_rf(list, options = {})
# removing directories. This requires the current process is the
# owner of the removing whole directory tree, or is the super user (root).
#
- # WARNING: You must ensure that *ALL* parent directories are not
- # world writable. Otherwise this method does not work.
- # Only exception is temporary directory like /tmp and /var/tmp,
- # whose permission is 1777.
+ # WARNING: You must ensure that *ALL* parent directories cannot be
+ # moved by other untrusted users. For example, parent directories
+ # should not be owned by untrusted users, and should not be world
+ # writable except when the sticky bit set.
#
# WARNING: Only the owner of the removing directory tree, or Unix super
# user (root) should invoke this method. Otherwise this method does not
@@ -704,6 +704,11 @@ def remove_entry_secure(path, force = false)
end
f.chown euid, -1
f.chmod 0700
+ unless fu_stat_identical_entry?(st, File.lstat(fullpath))
+ # TOC-to-TOU attack?
+ File.unlink fullpath
+ return
+ end
}
# ---- tree root is frozen ----
root = Entry_.new(path)
View
22 test/ruby/test_exception.rb
@@ -184,4 +184,26 @@ def test_else
assert(false)
end
end
+
+ def test_to_s_taintness_propagation
+ for exc in [Exception, NameError]
+ m = "abcdefg"
+ e = exc.new(m)
+ e.taint
+ s = e.to_s
+ assert_equal(false, m.tainted?,
+ "#{exc}#to_s should not propagate taintness")
+ assert_equal(false, s.tainted?,
+ "#{exc}#to_s should not propagate taintness")
+ end
+
+ o = Object.new
+ def o.to_str
+ "foo"
+ end
+ o.taint
+ e = NameError.new(o)
+ s = e.to_s
+ assert_equal(true, s.tainted?)
+ end
end
View
12 version.h
@@ -1,15 +1,15 @@
#define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2010-12-23"
+#define RUBY_RELEASE_DATE "2011-02-18"
#define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20101223
-#define RUBY_PATCHLEVEL 330
+#define RUBY_RELEASE_CODE 20110218
+#define RUBY_PATCHLEVEL 334
#define RUBY_VERSION_MAJOR 1
#define RUBY_VERSION_MINOR 8
#define RUBY_VERSION_TEENY 7
-#define RUBY_RELEASE_YEAR 2010
-#define RUBY_RELEASE_MONTH 12
-#define RUBY_RELEASE_DAY 23
+#define RUBY_RELEASE_YEAR 2011
+#define RUBY_RELEASE_MONTH 2
+#define RUBY_RELEASE_DAY 18
#ifdef RUBY_EXTERN
RUBY_EXTERN const char ruby_version[];
View
9 win32/win32.c
@@ -1894,21 +1894,12 @@ init_stdhandle(void)
if (fileno(stdin) < 0) {
stdin->_file = open_null(0);
}
- else {
- setmode(fileno(stdin), O_BINARY);
- }
if (fileno(stdout) < 0) {
stdout->_file = open_null(1);
}
- else {
- setmode(fileno(stdout), O_BINARY);
- }
if (fileno(stderr) < 0) {
stderr->_file = open_null(2);
}
- else {
- setmode(fileno(stderr), O_BINARY);
- }
if (nullfd >= 0 && !keep) close(nullfd);
setvbuf(stderr, NULL, _IONBF, 0);
}

0 comments on commit e1b23fe

Please sign in to comment.