merge revision(s): 53153 and 23405@ruby_1_9_1

	* ext/fiddle/handle.c: check tainted string arguments.
	  Patch provided by tenderlove and nobu.

	* test/fiddle/test_handle.rb (class TestHandle): add test for above.

	* ext/dl/handle.c (rb_dlhandle_initialize): prohibits DL::dlopen
	  with a tainted name of library.
	  Patch by sheepman <sheepman AT sheepman.sakura.ne.jp>.

	* ext/dl/handle.c (rb_dlhandle_sym): ditto



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_0_0@53161 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,18 @@
+Wed Dec 16 21:16:55 2015  CHIKANAGA Tomoyuki  <nagachika@ruby-lang.org>
+
+	* ext/fiddle/handle.c: check tainted string arguments.
+	  Patch provided by tenderlove and nobu.
+
+	* test/fiddle/test_handle.rb (class TestHandle): add test for above.
+
+Wed Dec 16 21:16:55 2015  Yuki Sonoda (Yugui)  <yugui@yugui.jp>
+
+	* ext/dl/handle.c (rb_dlhandle_initialize): prohibits DL::dlopen
+	  with a tainted name of library.
+	  Patch by sheepman <sheepman AT sheepman.sakura.ne.jp>.
+
+	* ext/dl/handle.c (rb_dlhandle_sym): ditto
+
 Tue Aug 18 22:00:12 2015  SHIBATA Hiroshi  <hsbt@ruby-lang.org>
 
 	* lib/rubygems.rb: bump version to 2.0.14.1. this version fixed

ext/dl/handle.c

@@ -5,6 +5,8 @@
 #include <ruby.h>
 #include "dl.h"
 
+#define SafeStringValuePtr(v) (rb_string_value(&v), rb_check_safe_obj(v), RSTRING_PTR(v))
+
 VALUE rb_cDLHandle;
 
 #ifdef _WIN32
@@ -132,11 +134,11 @@ rb_dlhandle_initialize(int argc, VALUE argv[], VALUE self)
 	cflag = RTLD_LAZY | RTLD_GLOBAL;
 	break;
       case 1:
-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
+	clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib);
 	cflag = RTLD_LAZY | RTLD_GLOBAL;
 	break;
       case 2:
-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
+	clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib);
 	cflag = NUM2INT(flag);
 	break;
       default:
@@ -265,13 +267,16 @@ VALUE
 rb_dlhandle_sym(VALUE self, VALUE sym)
 {
     struct dl_handle *dlhandle;
+    const char *name;
+
+    name = SafeStringValuePtr(sym);
 
     TypedData_Get_Struct(self, struct dl_handle, &dlhandle_data_type, dlhandle);
     if( ! dlhandle->open ){
 	rb_raise(rb_eDLError, "closed handle");
     }
 
-    return dlhandle_sym(dlhandle->ptr, StringValueCStr(sym));
+    return dlhandle_sym(dlhandle->ptr, name);
 }
 
 #ifndef RTLD_NEXT

ext/fiddle/handle.c

@@ -1,6 +1,8 @@
 #include <ruby.h>
 #include <fiddle.h>
 
+#define SafeStringValueCStr(v) (rb_check_safe_obj(rb_string_value(&v)), StringValueCStr(v))
+
 VALUE rb_cHandle;
 
 struct dl_handle {
@@ -135,11 +137,11 @@ rb_fiddle_handle_initialize(int argc, VALUE argv[], VALUE self)
 	cflag = RTLD_LAZY | RTLD_GLOBAL;
 	break;
       case 1:
-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
+	clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib);
 	cflag = RTLD_LAZY | RTLD_GLOBAL;
 	break;
       case 2:
-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
+	clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib);
 	cflag = NUM2INT(flag);
 	break;
       default:
@@ -255,7 +257,7 @@ rb_fiddle_handle_to_i(VALUE self)
     return PTR2NUM(fiddle_handle);
 }
 
-static VALUE fiddle_handle_sym(void *handle, const char *symbol);
+static VALUE fiddle_handle_sym(void *handle, VALUE symbol);
 
 /*
  * Document-method: sym
@@ -274,7 +276,7 @@ rb_fiddle_handle_sym(VALUE self, VALUE sym)
 	rb_raise(rb_eFiddleError, "closed handle");
     }
 
-    return fiddle_handle_sym(fiddle_handle->ptr, StringValueCStr(sym));
+    return fiddle_handle_sym(fiddle_handle->ptr, sym);
 }
 
 #ifndef RTLD_NEXT
@@ -297,11 +299,11 @@ rb_fiddle_handle_sym(VALUE self, VALUE sym)
 static VALUE
 rb_fiddle_handle_s_sym(VALUE self, VALUE sym)
 {
-    return fiddle_handle_sym(RTLD_NEXT, StringValueCStr(sym));
+    return fiddle_handle_sym(RTLD_NEXT, sym);
 }
 
 static VALUE
-fiddle_handle_sym(void *handle, const char *name)
+fiddle_handle_sym(void *handle, VALUE symbol)
 {
 #if defined(HAVE_DLERROR)
     const char *err;
@@ -310,6 +312,7 @@ fiddle_handle_sym(void *handle, const char *name)
 # define CHECK_DLERROR
 #endif
     void (*func)();
+    const char *name = SafeStringValueCStr(symbol);
 
     rb_secure(2);
 #ifdef HAVE_DLERROR
@@ -359,7 +362,7 @@ fiddle_handle_sym(void *handle, const char *name)
     }
 #endif
     if( !func ){
-	rb_raise(rb_eFiddleError, "unknown symbol \"%s\"", name);
+	rb_raise(rb_eFiddleError, "unknown symbol \"%"PRIsVALUE"\"", symbol);
     }
 
     return PTR2NUM(func);

test/fiddle/test_handle.rb

@@ -10,6 +10,23 @@ class TestHandle < TestCase
 
     include Test::Unit::Assertions
 
+    def test_safe_handle_open
+      t = Thread.new do
+        $SAFE = 1
+        Fiddle::Handle.new(LIBC_SO.taint)
+      end
+      assert_raise(SecurityError) { t.value }
+    end
+
+    def test_safe_function_lookup
+      t = Thread.new do
+        h = Fiddle::Handle.new(LIBC_SO)
+        $SAFE = 1
+        h["qsort".taint]
+      end
+      assert_raise(SecurityError) { t.value }
+    end
+
     def test_to_i
       handle = Fiddle::Handle.new(LIBC_SO)
       assert_kind_of Integer, handle.to_i

version.h

@@ -1,10 +1,10 @@
 #define RUBY_VERSION "2.0.0"
-#define RUBY_RELEASE_DATE "2015-08-18"
-#define RUBY_PATCHLEVEL 647
+#define RUBY_RELEASE_DATE "2015-12-16"
+#define RUBY_PATCHLEVEL 648
 
 #define RUBY_RELEASE_YEAR 2015
-#define RUBY_RELEASE_MONTH 8
-#define RUBY_RELEASE_DAY 18
+#define RUBY_RELEASE_MONTH 12
+#define RUBY_RELEASE_DAY 16
 
 #include "ruby/version.h"