File ruby-1.8.x_exception_tainted_message.patch of Package ruby

r30903 | shyouhei | 2011-02-18 12:05:02 +0100 (Fri, 18 Feb 2011) | 9 lines

* error.c (exc_to_s): untainted strings can be tainted via
  Exception#to_s, which enables attackers to overwrite sane strings.
  Reported by: Yusuke Endoh <mame at tsg.ne.jp>.

* error.c (name_err_to_s): ditto.

* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
  Test for it.

Index: error.c
===================================================================
--- error.c	(revision 30902)
+++ error.c	(revision 30903)
@@ -403,7 +403,6 @@
     VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
 
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
     return mesg;
 }
 
@@ -667,10 +666,9 @@
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
     StringValue(str);
     if (str != mesg) {
-	rb_iv_set(exc, "mesg", mesg = str);
+	OBJ_INFECT(str, mesg);
     }
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
-    return mesg;
+    return str;
 }
 
 /*
Index: test/ruby/test_exception.rb
===================================================================
--- test/ruby/test_exception.rb	(revision 30902)
+++ test/ruby/test_exception.rb	(revision 30903)
@@ -184,4 +184,26 @@
       assert(false)
     end
   end
+
+  def test_to_s_taintness_propagation
+    for exc in [Exception, NameError]
+      m = "abcdefg"
+      e = exc.new(m)
+      e.taint
+      s = e.to_s
+      assert_equal(false, m.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+      assert_equal(false, s.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+    end
+    
+    o = Object.new
+    def o.to_str
+      "foo"
+    end
+    o.taint
+    e = NameError.new(o)
+    s = e.to_s
+    assert_equal(true, s.tainted?)
+  end
 end