mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
Update to ruby/spec@9be7c7e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64180 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
eregon
parent
aeeaadaad0
commit
b53cf149ad
246 changed files with 9108 additions and 548 deletions
21
spec/ruby/security/cve_2010_1330_spec.rb
Normal file
21
spec/ruby/security/cve_2010_1330_spec.rb
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
require_relative '../spec_helper'
|
||||
|
||||
describe "String#gsub" do
|
||||
|
||||
it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do
|
||||
# This original vulnerability talked about KCODE, which is no longer
|
||||
# used. Instead we are forcing encodings here. But I think the idea is the
|
||||
# same - we want to check that Ruby implementations raise an error on
|
||||
# #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte
|
||||
# sequence.
|
||||
|
||||
str = "\xF6<script>"
|
||||
str.force_encoding Encoding::ASCII_8BIT
|
||||
str.gsub(/</, "<").should == "\xF6<script>".b
|
||||
str.force_encoding Encoding::UTF_8
|
||||
lambda {
|
||||
str.gsub(/</, "<")
|
||||
}.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/)
|
||||
end
|
||||
|
||||
end
|
||||
Loading…
Add table
Add a link
Reference in a new issue