diff options
| -rw-r--r-- | ChangeLog | 13 | ||||
| -rw-r--r-- | error.c | 6 | ||||
| -rw-r--r-- | test/ruby/test_exception.rb | 22 |
3 files changed, 37 insertions, 4 deletions
@@ -1,3 +1,16 @@ +Fri Feb 18 20:02:29 2011 Shugo Maeda <[email protected]> + + * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): + Test for below. + +Fri Feb 18 19:58:34 2011 URABE Shyouhei <[email protected]> + + * error.c (exc_to_s): untainted strings can be tainted via + Exception#to_s, which enables attackers to overwrite sane strings. + Reported by: Yusuke Endoh <mame at tsg.ne.jp>. + + * error.c (name_err_to_s): ditto. + Wed Jan 19 17:38:03 2011 NAKAMURA Usaku <[email protected]> * win32/win32.c (init_stdhandle): backport mistake of r29382. @@ -403,7 +403,6 @@ exc_to_s(exc) VALUE mesg = rb_attr_get(exc, rb_intern("mesg")); if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); return mesg; } @@ -667,10 +666,9 @@ name_err_to_s(exc) if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); if (str != mesg) { - rb_iv_set(exc, "mesg", mesg = str); + OBJ_INFECT(str, mesg); } - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); - return mesg; + return str; } /* diff --git a/test/ruby/test_exception.rb b/test/ruby/test_exception.rb index 4c27c52f3c..c5f409117c 100644 --- a/test/ruby/test_exception.rb +++ b/test/ruby/test_exception.rb @@ -184,4 +184,26 @@ class TestException < Test::Unit::TestCase assert(false) end end + + def test_to_s_taintness_propagation + for exc in [Exception, NameError] + m = "abcdefg" + e = exc.new(m) + e.taint + s = e.to_s + assert_equal(false, m.tainted?, + "#{exc}#to_s should not propagate taintness") + assert_equal(false, s.tainted?, + "#{exc}#to_s should not propagate taintness") + end + + o = Object.new + def o.to_str + "foo" + end + o.taint + e = NameError.new(o) + s = e.to_s + assert_equal(true, s.tainted?) + end end |