file.c: preserve encoding

* file.c (rb_find_file_safe): preserve encoding of path in SecurityError messages. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@58996 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2017-06-02 03:54:19 +00:00 · 2017-06-02 03:54:19 +00:00 · 1e1964b8f2
commit 1e1964b8f2
parent 321300d4e0
2 changed files with 25 additions and 3 deletions
--- a/file.c
+++ b/file.c
@ -5840,7 +5840,7 @@ rb_find_file_safe(VALUE path, int safe_level)
    if (f[0] == '~') {
 	tmp = file_expand_path_1(path);
 	if (safe_level >= 1 && OBJ_TAINTED(tmp)) {
-	    rb_raise(rb_eSecurityError, "loading from unsafe file %s", f);
+	    rb_raise(rb_eSecurityError, "loading from unsafe file %"PRIsVALUE, tmp);
 	}
 	path = copy_path_class(tmp, path);
 	f = RSTRING_PTR(path);
@ -5849,7 +5849,7 @@ rb_find_file_safe(VALUE path, int safe_level)

    if (expanded || rb_is_absolute_path(f) || is_explicit_relative(f)) {
 	if (safe_level >= 1 && !fpath_check(path)) {
-	    rb_raise(rb_eSecurityError, "loading from unsafe path %s", f);
+	    rb_raise(rb_eSecurityError, "loading from unsafe path %"PRIsVALUE, path);
 	}
 	if (!rb_file_load_ok(f)) return 0;
 	if (!expanded)
@ -5881,7 +5881,7 @@ rb_find_file_safe(VALUE path, int safe_level)

  found:
    if (safe_level >= 1 && !fpath_check(tmp)) {
-	rb_raise(rb_eSecurityError, "loading from unsafe file %s", f);
+	rb_raise(rb_eSecurityError, "loading from unsafe file %"PRIsVALUE, tmp);
    }

    return copy_path_class(tmp, path);
--- a/test/ruby/test_require.rb
+++ b/test/ruby/test_require.rb
@ -87,6 +87,17 @@ class TestRequire < Test::Unit::TestCase
    end
  end

+  SECURITY_WARNING =
+    if /mswin|mingw/ =~ RUBY_PLATFORM
+      nil
+    else
+      proc do |require_path|
+        File.chmod(0777, File.dirname(require_path))
+        $SAFE = 1
+        require(require_path)
+      end
+    end
+
  def assert_require_nonascii_path(encoding, bug)
    Dir.mktmpdir {|tmp|
      dir = "\u3042" * 5
@ -109,6 +120,17 @@ class TestRequire < Test::Unit::TestCase
          assert_equal(self.class.ospath_encoding(require_path), $:.last.encoding, '[Bug #8753]')
          assert(!require(require_path), bug)
        }
+        $:.replace(load_path)
+        $".replace(features)
+        if SECURITY_WARNING
+          require_path.untaint
+          ospath = require_path.encode(self.class.ospath_encoding(require_path))
+          assert_warn(/Insecure world writable dir/) do
+            assert_raise_with_message(SecurityError, "loading from unsafe path #{ospath}") do
+              SECURITY_WARNING.call(require_path)
+            end
+          end
+        end
      ensure
        $:.replace(load_path)
        $".replace(features)