hash.c: prohibit tainted strings

* hash.c (env_aset, env_has_key, env_assoc, env_has_value),
  (env_rassoc, env_key): prohibit tainted strings if $SAFE is
  non-zero.  [Bug #9976]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46547 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,9 @@
+Wed Jun 25 10:19:59 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* hash.c (env_aset, env_has_key, env_assoc, env_has_value),
+	  (env_rassoc, env_key): prohibit tainted strings if $SAFE is
+	  non-zero.  [Bug #9976]
+
 Tue Jun 24 14:46:17 2014  SHIBATA Hiroshi  <shibata.hiroshi@gmail.com>
 
 	* lib/gserver.rb: remove redundant use of to_s in interpolation.

hash.c

@@ -2871,8 +2871,8 @@ env_aset(VALUE obj, VALUE nm, VALUE val)
 	env_delete(obj, nm);
 	return Qnil;
     }
-    StringValue(nm);
+    SafeStringValue(nm);
-    StringValue(val);
+    SafeStringValue(val);
     name = RSTRING_PTR(nm);
     value = RSTRING_PTR(val);
     if (memchr(name, '\0', RSTRING_LEN(nm)))
@@ -3369,7 +3369,8 @@ env_has_key(VALUE env, VALUE key)
 {
     char *s;
 
-    s = StringValuePtr(key);
+    SafeStringValue(key);
+    s = RSTRING_PTR(key);
     if (memchr(s, '\0', RSTRING_LEN(key)))
 	rb_raise(rb_eArgError, "bad environment variable name");
     if (getenv(s)) return Qtrue;
@@ -3388,7 +3389,8 @@ env_assoc(VALUE env, VALUE key)
 {
     char *s, *e;
 
-    s = StringValuePtr(key);
+    SafeStringValue(key);
+    s = RSTRING_PTR(key);
     if (memchr(s, '\0', RSTRING_LEN(key)))
 	rb_raise(rb_eArgError, "bad environment variable name");
     e = getenv(s);
@@ -3410,6 +3412,7 @@ env_has_value(VALUE dmy, VALUE obj)
 
     obj = rb_check_string_type(obj);
     if (NIL_P(obj)) return Qnil;
+    rb_check_safe_obj(obj);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');
@@ -3440,6 +3443,7 @@ env_rassoc(VALUE dmy, VALUE obj)
 
     obj = rb_check_string_type(obj);
     if (NIL_P(obj)) return Qnil;
+    rb_check_safe_obj(obj);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');
@@ -3470,7 +3474,7 @@ env_key(VALUE dmy, VALUE value)
     char **env;
     VALUE str;
 
-    StringValue(value);
+    SafeStringValue(value);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');

test/ruby/test_env.rb

@@ -426,4 +426,85 @@ class TestEnv < Test::Unit::TestCase
       assert_predicate(ENV.fetch(k), :frozen?, "fetch(#{k.dump})")
     end
   end
+
+  def test_taint_aref
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO".taint]
+      end.call
+    end
+  end
+
+  def test_taint_fetch
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.fetch("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_assoc
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.assoc("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_rassoc
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.rassoc("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_key
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.key("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_key_p
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.key?("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_value_p
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.value?("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_aset_value
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO"] = "BAR".taint
+      end.call
+    end
+  end
+
+  def test_taint_aset_key
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO".taint] = "BAR"
+      end.call
+    end
+  end
 end