erb.rb: safe concurrent use

* lib/erb.rb (ERB#run, ERB#result): eval under isolated bindings for safe concurrent use. [ruby-core:47638] [Bug #7046] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@37594 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2012-11-09 14:33:11 +00:00 · 2012-11-09 14:33:11 +00:00 · 62f7424640
commit 62f7424640
parent 2ce1fbeb59
3 changed files with 25 additions and 3 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+Fri Nov  9 23:33:05 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* lib/erb.rb (ERB#run, ERB#result): eval under isolated bindings for
+	  safe concurrent use.  [ruby-core:47638] [Bug #7046]
+
 Fri Nov  9 23:05:06 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>

 	* random.c (BYTE_ORDER): define using configured WORDS_BIGENDIAN.
--- a/lib/erb.rb
+++ b/lib/erb.rb
@ -1,3 +1,4 @@
+# -*- coding: us-ascii -*-
 # = ERB -- Ruby Templating
 #
 # Author:: Masatoshi SEKI
@ -818,7 +819,7 @@ class ERB
  end

  # Generate results and print them. (see ERB#result)
-  def run(b=TOPLEVEL_BINDING)
+  def run(b=new_toplevel)
    print self.result(b)
  end

@ -830,7 +831,7 @@ class ERB
  # _b_ accepts a Binding or Proc object which is used to set the context of
  # code evaluation.
  #
-  def result(b=TOPLEVEL_BINDING)
+  def result(b=new_toplevel)
    if @safe_level
      proc {
        $SAFE = @safe_level
@ -841,6 +842,12 @@ class ERB
    end
  end

+  def new_toplevel
+    # New binding each time *near* toplevel for unspecified runs
+    TOPLEVEL_BINDING.dup
+  end
+  private :new_toplevel
+
  # Define _methodname_ as instance method of _mod_ from compiled ruby source.
  #
  # example:
--- a/test/erb/test_erb.rb
+++ b/test/erb/test_erb.rb
@ -1,3 +1,4 @@
+# -*- coding: us-ascii -*-
 require 'test/unit'
 require 'erb'

@ -44,11 +45,20 @@ class TestERB < Test::Unit::TestCase

    assert_equal("", ERB::Util.html_escape(""))
    assert_equal("abc", ERB::Util.html_escape("abc"))
-    assert_equal("&lt;&lt;", ERB::Util.html_escape("<<"))
+    assert_equal("&lt;&lt;", ERB::Util.html_escape("<\<"))

    assert_equal("", ERB::Util.html_escape(nil))
    assert_equal("123", ERB::Util.html_escape(123))
  end
+
+  def test_concurrent_default_binding
+    template1 = 'one <%= ERB.new(template2).result %>'
+
+    eval 'template2 = "two"', TOPLEVEL_BINDING
+
+    bug7046 = '[ruby-core:47638]'
+    assert_equal("one two", ERB.new(template1).result, bug7046)
+  end
 end

 class TestERBCore < Test::Unit::TestCase