* file.c (path_check_0): check if sticky bit is set on parent

directories for executable path.  fixed: [ruby-dev:29415]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@10863 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,8 @@
+Tue Sep  5 05:49:41 2006  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* file.c (path_check_0): check if sticky bit is set on parent
+	  directories for executable path.  fixed: [ruby-dev:29415]
+
 Tue Sep  5 05:03:46 2006  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
 	* numeric.c (fix_plus): addition in Fixnum will never overflow

file.c

@@ -4046,7 +4046,7 @@ is_absolute_path(const char *path)
 
 #ifndef DOSISH
 static int
-path_check_0(VALUE path, int loadpath)
+path_check_0(VALUE path, int execpath)
 {
     struct stat st;
     char *p0 = StringValueCStr(path);
@@ -4061,7 +4061,7 @@ path_check_0(VALUE path, int loadpath)
 
 	rb_str_cat2(newpath, "/");
 	rb_str_cat2(newpath, p0);
-	return path_check_0(newpath, loadpath);
+	p0 = RSTRING_PTR(path = newpath);
     }
     for (;;) {
 #ifndef S_IWOTH
@@ -4069,10 +4069,11 @@ path_check_0(VALUE path, int loadpath)
 #endif
 	if (stat(p0, &st) == 0 && S_ISDIR(st.st_mode) && (st.st_mode & S_IWOTH)
 #ifdef S_ISVTX
-	    && (loadpath || !(st.st_mode & S_ISVTX))
+	    && !(p && execpath && (st.st_mode & S_ISVTX))
 #endif
 	    && !access(p0, W_OK)) {
-	    rb_warn("Insecure world writable dir %s, mode 0%o", p0, st.st_mode);
+	    rb_warn("Insecure world writable dir %s in %sPATH, mode 0%o",
+		    p0, (execpath ? "" : "LOAD_"), st.st_mode);
 	    if (p) *p = '/';
 	    return 0;
 	}
@@ -4247,9 +4248,6 @@ rb_find_file(VALUE path)
 	}
 	else {
 	    lpath = RSTRING_PTR(tmp);
-	    if (rb_safe_level() >= 1 && !rb_path_check(lpath)) {
-		rb_raise(rb_eSecurityError, "loading from unsafe path %s", lpath);
-	    }
 	}
     }
     else {