Skip to content

Commit

Permalink
Get String length after args in String#chomp!
Browse files Browse the repository at this point in the history
Fixes RCE issue
Reported by @bouk
  • Loading branch information
clayton-shopify authored and bouk committed Nov 24, 2016
1 parent a630c4f commit 76a1bdf
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
4 changes: 3 additions & 1 deletion src/string.c
Original file line number Diff line number Diff line change
Expand Up @@ -1235,11 +1235,13 @@ mrb_str_chomp_bang(mrb_state *mrb, mrb_value str)
char *p, *pp;
mrb_int rslen;
mrb_int len;
mrb_int argc;
struct RString *s = mrb_str_ptr(str);

mrb_str_modify(mrb, s);
argc = mrb_get_args(mrb, "|S", &rs);
len = RSTR_LEN(s);
if (mrb_get_args(mrb, "|S", &rs) == 0) {
if (argc == 0) {
if (len == 0) return mrb_nil_value();
smart_chomp:
if (RSTR_PTR(s)[len-1] == '\n') {
Expand Down
14 changes: 13 additions & 1 deletion test/t/string.rb
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,19 @@
assert_equal 'abc', e
end

assert('String#chomp! uses the correct length') do
class A
def to_str
$s.replace("AA")
"A"
end
end

$s = "AAA"
$s.chomp!(A.new)
assert_equal $s, "A"
end

assert('String#chop', '15.2.10.5.11') do
a = ''.chop
b = 'abc'.chop
Expand Down Expand Up @@ -683,4 +696,3 @@

assert_raise(RuntimeError) { str.upcase! }
end

0 comments on commit 76a1bdf

Please sign in to comment.