* string.c (rb_str_intern): prohibit interning tainted string.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@10916 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

.cvsignore

@@ -8,6 +8,7 @@
 .ext
 .git
 .svn
+.pc
 .rbconfig.time
 COPYING.LIB
 ChangeLog.pre-alpha
@@ -26,32 +27,20 @@ config.h.in
 config.log
 config.status
 configure
-foo.rb
 libruby.so.*
 miniruby
-miniruby.elhash
-miniruby.elhash2
-miniruby.orig2
-miniruby.plhash
-miniruby.plhash2
-modex.rb
 newdate.rb
 newver.rb
 parse.c
-parse.y.try
+patches
-pitest.rb
 ppack
 preview
 rbconfig.rb
-rename2.h
 repack
 riscos
 rubicon
 ruby
 ruby-man.rd.gz
-rubyunit
-st.c.power
-this that
 tmp
 web
 y.output

ChangeLog

@@ -1,3 +1,7 @@
+Wed Sep 13 16:43:36 2006  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* string.c (rb_str_intern): prohibit interning tainted string.
+
 Wed Sep 13 01:14:21 2006  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* lib/optparse.rb (OptionParser#getopts): works with pre-registered

string.c

@@ -4404,6 +4404,9 @@ rb_str_intern(s)
     }
     if (strlen(RSTRING(str)->ptr) != RSTRING(str)->len)
 	rb_raise(rb_eArgError, "symbol string may not contain `\\0'");
+    if (OBJ_TAINTED(str)) {
+	rb_raise(rb_eSecurityError, "Insecure: can't intern tainted string");
+    }
     id = rb_intern(RSTRING(str)->ptr);
     return ID2SYM(id);
 }