merge revision(s) 30903:

* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): Test for below. * error.c (exc_to_s): untainted strings can be tainted via Exception#to_s, which enables attackers to overwrite sane strings. Reported by: Yusuke Endoh <mame at tsg.ne.jp>. * error.c (name_err_to_s): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@30911 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
guillermo · Feb 18, 2011 · 03022c9 · 03022c9
1 parent 4f4dc7b
commit 03022c9
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 5 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,16 @@
+Fri Feb 18 21:18:55 2011  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
+	  Test for below.
+
+Fri Feb 18 21:18:55 2011  URABE Shyouhei  <shyouhei@ruby-lang.org>
+
+	* error.c (exc_to_s): untainted strings can be tainted via
+	  Exception#to_s, which enables attackers to overwrite sane strings.
+	  Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
+
+	* error.c (name_err_to_s): ditto.
+
 Fri Feb 18 21:17:22 2011  Shugo Maeda  <shugo@ruby-lang.org>
 
 	* lib/fileutils.rb (FileUtils::remove_entry_secure): there is a

diff --git a/error.c b/error.c
@@ -403,7 +403,6 @@ exc_to_s(exc)
     VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
 
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
     return mesg;
 }
 
@@ -667,10 +666,9 @@ name_err_to_s(exc)
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
     StringValue(str);
     if (str != mesg) {
-	rb_iv_set(exc, "mesg", mesg = str);
+	OBJ_INFECT(str, mesg);
     }
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
-    return mesg;
+    return str;
 }
 
 /*

diff --git a/test/ruby/test_exception.rb b/test/ruby/test_exception.rb
@@ -184,4 +184,26 @@ def test_else
       assert(false)
     end
   end
+
+  def test_to_s_taintness_propagation
+    for exc in [Exception, NameError]
+      m = "abcdefg"
+      e = exc.new(m)
+      e.taint
+      s = e.to_s
+      assert_equal(false, m.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+      assert_equal(false, s.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+    end
+
+    o = Object.new
+    def o.to_str
+      "foo"
+    end
+    o.taint
+    e = NameError.new(o)
+    s = e.to_s
+    assert_equal(true, s.tainted?)
+  end
 end
diff --git a/version.h b/version.h
@@ -2,7 +2,7 @@
 #define RUBY_RELEASE_DATE "2011-02-18"
 #define RUBY_VERSION_CODE 187
 #define RUBY_RELEASE_CODE 20110218
-#define RUBY_PATCHLEVEL 333
+#define RUBY_PATCHLEVEL 334
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8