* ext/fiddle/handle.c: check tainted string arguments.

Patch provided by tenderlove and nobu. * test/fiddle/test_handle.rb (class TestHandle): add test for above. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53153 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2015-12-16 12:08:49 +00:00 · 2015-12-16 12:08:49 +00:00 · 79c7a51893
commit 79c7a51893
parent ed57f299b2
3 changed files with 35 additions and 7 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+Wed Dec 16 20:32:43 2015  CHIKANAGA Tomoyuki  <nagachika@ruby-lang.org>
+
+	* ext/fiddle/handle.c: check tainted string arguments.
+	  Patch provided by tenderlove and nobu.
+
+	* test/fiddle/test_handle.rb (class TestHandle): add test for above.
+
+
 Wed Dec 16 19:30:56 2015  Shugo Maeda  <shugo@ruby-lang.org>

 	* vm.c (vm_make_proc_from_block): should convert a Symbol to a Proc.
--- a/ext/fiddle/handle.c
+++ b/ext/fiddle/handle.c
@ -1,6 +1,8 @@
 #include <ruby.h>
 #include <fiddle.h>

+#define SafeStringValueCStr(v) (rb_check_safe_obj(rb_string_value(&v)), StringValueCStr(v))
+
 VALUE rb_cHandle;

 struct dl_handle {
@ -143,11 +145,11 @@ rb_fiddle_handle_initialize(int argc, VALUE argv[], VALUE self)
 	cflag = RTLD_LAZY | RTLD_GLOBAL;
 	break;
      case 1:
-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
+	clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib);
 	cflag = RTLD_LAZY | RTLD_GLOBAL;
 	break;
      case 2:
-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
+	clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib);
 	cflag = NUM2INT(flag);
 	break;
      default:
@ -262,7 +264,7 @@ rb_fiddle_handle_to_i(VALUE self)
    return PTR2NUM(fiddle_handle);
 }

-static VALUE fiddle_handle_sym(void *handle, const char *symbol);
+static VALUE fiddle_handle_sym(void *handle, VALUE symbol);

 /*
 * Document-method: sym
@ -281,7 +283,7 @@ rb_fiddle_handle_sym(VALUE self, VALUE sym)
 	rb_raise(rb_eFiddleError, "closed handle");
    }

-    return fiddle_handle_sym(fiddle_handle->ptr, StringValueCStr(sym));
+    return fiddle_handle_sym(fiddle_handle->ptr, sym);
 }

 #ifndef RTLD_NEXT
@ -304,11 +306,11 @@ rb_fiddle_handle_sym(VALUE self, VALUE sym)
 static VALUE
 rb_fiddle_handle_s_sym(VALUE self, VALUE sym)
 {
-    return fiddle_handle_sym(RTLD_NEXT, StringValueCStr(sym));
+    return fiddle_handle_sym(RTLD_NEXT, sym);
 }

 static VALUE
-fiddle_handle_sym(void *handle, const char *name)
+fiddle_handle_sym(void *handle, VALUE symbol)
 {
 #if defined(HAVE_DLERROR)
    const char *err;
@ -317,6 +319,7 @@ fiddle_handle_sym(void *handle, const char *name)
 # define CHECK_DLERROR
 #endif
    void (*func)();
+    const char *name = SafeStringValueCStr(symbol);

 #ifdef HAVE_DLERROR
    dlerror();
@ -365,7 +368,7 @@ fiddle_handle_sym(void *handle, const char *name)
    }
 #endif
    if( !func ){
-	rb_raise(rb_eFiddleError, "unknown symbol \"%s\"", name);
+	rb_raise(rb_eFiddleError, "unknown symbol \"%"PRIsVALUE"\"", symbol);
    }

    return PTR2NUM(func);
--- a/test/fiddle/test_handle.rb
+++ b/test/fiddle/test_handle.rb
@ -10,6 +10,23 @@ module Fiddle

    include Test::Unit::Assertions

+    def test_safe_handle_open
+      t = Thread.new do
+        $SAFE = 1
+        Fiddle::Handle.new(LIBC_SO.taint)
+      end
+      assert_raise(SecurityError) { t.value }
+    end
+
+    def test_safe_function_lookup
+      t = Thread.new do
+        h = Fiddle::Handle.new(LIBC_SO)
+        $SAFE = 1
+        h["qsort".taint]
+      end
+      assert_raise(SecurityError) { t.value }
+    end
+
    def test_to_i
      handle = Fiddle::Handle.new(LIBC_SO)
      assert_kind_of Integer, handle.to_i