From 073cc5e815fcf5178fe4e515fcde74dc3597adeb Mon Sep 17 00:00:00 2001 From: usa Date: Wed, 16 Dec 2015 12:30:28 +0000 Subject: [PATCH] merge revision(s): 53153 and 23405@ruby_1_9_1 * ext/fiddle/handle.c: check tainted string arguments. Patch provided by tenderlove and nobu. * test/fiddle/test_handle.rb (class TestHandle): add test for above. * ext/dl/handle.c (rb_dlhandle_initialize): prohibits DL::dlopen with a tainted name of library. Patch by sheepman . * ext/dl/handle.c (rb_dlhandle_sym): ditto git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_0_0@53161 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 15 +++++++++++++++ ext/dl/handle.c | 11 ++++++++--- ext/fiddle/handle.c | 17 ++++++++++------- test/fiddle/test_handle.rb | 17 +++++++++++++++++ version.h | 8 ++++---- 5 files changed, 54 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 305d1be2fffff9..65075617cb42be 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +Wed Dec 16 21:16:55 2015 CHIKANAGA Tomoyuki + + * ext/fiddle/handle.c: check tainted string arguments. + Patch provided by tenderlove and nobu. + + * test/fiddle/test_handle.rb (class TestHandle): add test for above. + +Wed Dec 16 21:16:55 2015 Yuki Sonoda (Yugui) + + * ext/dl/handle.c (rb_dlhandle_initialize): prohibits DL::dlopen + with a tainted name of library. + Patch by sheepman . + + * ext/dl/handle.c (rb_dlhandle_sym): ditto + Tue Aug 18 22:00:12 2015 SHIBATA Hiroshi * lib/rubygems.rb: bump version to 2.0.14.1. this version fixed diff --git a/ext/dl/handle.c b/ext/dl/handle.c index 6b90e089eef82d..c967b2fb8ec498 100644 --- a/ext/dl/handle.c +++ b/ext/dl/handle.c @@ -5,6 +5,8 @@ #include #include "dl.h" +#define SafeStringValuePtr(v) (rb_string_value(&v), rb_check_safe_obj(v), RSTRING_PTR(v)) + VALUE rb_cDLHandle; #ifdef _WIN32 @@ -132,11 +134,11 @@ rb_dlhandle_initialize(int argc, VALUE argv[], VALUE self) cflag = RTLD_LAZY | RTLD_GLOBAL; break; case 1: - clib = NIL_P(lib) ? NULL : StringValuePtr(lib); + clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); cflag = RTLD_LAZY | RTLD_GLOBAL; break; case 2: - clib = NIL_P(lib) ? NULL : StringValuePtr(lib); + clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); cflag = NUM2INT(flag); break; default: @@ -265,13 +267,16 @@ VALUE rb_dlhandle_sym(VALUE self, VALUE sym) { struct dl_handle *dlhandle; + const char *name; + + name = SafeStringValuePtr(sym); TypedData_Get_Struct(self, struct dl_handle, &dlhandle_data_type, dlhandle); if( ! dlhandle->open ){ rb_raise(rb_eDLError, "closed handle"); } - return dlhandle_sym(dlhandle->ptr, StringValueCStr(sym)); + return dlhandle_sym(dlhandle->ptr, name); } #ifndef RTLD_NEXT diff --git a/ext/fiddle/handle.c b/ext/fiddle/handle.c index 4bb402bdfa26c1..7cf6745cc72c0c 100644 --- a/ext/fiddle/handle.c +++ b/ext/fiddle/handle.c @@ -1,6 +1,8 @@ #include #include +#define SafeStringValueCStr(v) (rb_check_safe_obj(rb_string_value(&v)), StringValueCStr(v)) + VALUE rb_cHandle; struct dl_handle { @@ -135,11 +137,11 @@ rb_fiddle_handle_initialize(int argc, VALUE argv[], VALUE self) cflag = RTLD_LAZY | RTLD_GLOBAL; break; case 1: - clib = NIL_P(lib) ? NULL : StringValuePtr(lib); + clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib); cflag = RTLD_LAZY | RTLD_GLOBAL; break; case 2: - clib = NIL_P(lib) ? NULL : StringValuePtr(lib); + clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib); cflag = NUM2INT(flag); break; default: @@ -255,7 +257,7 @@ rb_fiddle_handle_to_i(VALUE self) return PTR2NUM(fiddle_handle); } -static VALUE fiddle_handle_sym(void *handle, const char *symbol); +static VALUE fiddle_handle_sym(void *handle, VALUE symbol); /* * Document-method: sym @@ -274,7 +276,7 @@ rb_fiddle_handle_sym(VALUE self, VALUE sym) rb_raise(rb_eFiddleError, "closed handle"); } - return fiddle_handle_sym(fiddle_handle->ptr, StringValueCStr(sym)); + return fiddle_handle_sym(fiddle_handle->ptr, sym); } #ifndef RTLD_NEXT @@ -297,11 +299,11 @@ rb_fiddle_handle_sym(VALUE self, VALUE sym) static VALUE rb_fiddle_handle_s_sym(VALUE self, VALUE sym) { - return fiddle_handle_sym(RTLD_NEXT, StringValueCStr(sym)); + return fiddle_handle_sym(RTLD_NEXT, sym); } static VALUE -fiddle_handle_sym(void *handle, const char *name) +fiddle_handle_sym(void *handle, VALUE symbol) { #if defined(HAVE_DLERROR) const char *err; @@ -310,6 +312,7 @@ fiddle_handle_sym(void *handle, const char *name) # define CHECK_DLERROR #endif void (*func)(); + const char *name = SafeStringValueCStr(symbol); rb_secure(2); #ifdef HAVE_DLERROR @@ -359,7 +362,7 @@ fiddle_handle_sym(void *handle, const char *name) } #endif if( !func ){ - rb_raise(rb_eFiddleError, "unknown symbol \"%s\"", name); + rb_raise(rb_eFiddleError, "unknown symbol \"%"PRIsVALUE"\"", symbol); } return PTR2NUM(func); diff --git a/test/fiddle/test_handle.rb b/test/fiddle/test_handle.rb index 7621e1d933c754..3f48c6fe674188 100644 --- a/test/fiddle/test_handle.rb +++ b/test/fiddle/test_handle.rb @@ -10,6 +10,23 @@ class TestHandle < TestCase include Test::Unit::Assertions + def test_safe_handle_open + t = Thread.new do + $SAFE = 1 + Fiddle::Handle.new(LIBC_SO.taint) + end + assert_raise(SecurityError) { t.value } + end + + def test_safe_function_lookup + t = Thread.new do + h = Fiddle::Handle.new(LIBC_SO) + $SAFE = 1 + h["qsort".taint] + end + assert_raise(SecurityError) { t.value } + end + def test_to_i handle = Fiddle::Handle.new(LIBC_SO) assert_kind_of Integer, handle.to_i diff --git a/version.h b/version.h index 62097daa8f1258..743ebe84b8d243 100644 --- a/version.h +++ b/version.h @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.0.0" -#define RUBY_RELEASE_DATE "2015-08-18" -#define RUBY_PATCHLEVEL 647 +#define RUBY_RELEASE_DATE "2015-12-16" +#define RUBY_PATCHLEVEL 648 #define RUBY_RELEASE_YEAR 2015 -#define RUBY_RELEASE_MONTH 8 -#define RUBY_RELEASE_DAY 18 +#define RUBY_RELEASE_MONTH 12 +#define RUBY_RELEASE_DAY 16 #include "ruby/version.h"