diff --git a/ChangeLog b/ChangeLog index 07002c5c10..6e0e2ac4b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +Fri Feb 18 20:02:29 2011 Shugo Maeda + + * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): + Test for below. + +Fri Feb 18 19:58:34 2011 URABE Shyouhei + + * error.c (exc_to_s): untainted strings can be tainted via + Exception#to_s, which enables attackers to overwrite sane strings. + Reported by: Yusuke Endoh . + + * error.c (name_err_to_s): ditto. + Wed Jan 19 17:38:03 2011 NAKAMURA Usaku * win32/win32.c (init_stdhandle): backport mistake of r29382. diff --git a/error.c b/error.c index a0186182f6..b55a68daca 100644 --- a/error.c +++ b/error.c @@ -403,7 +403,6 @@ exc_to_s(exc) VALUE mesg = rb_attr_get(exc, rb_intern("mesg")); if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); return mesg; } @@ -667,10 +666,9 @@ name_err_to_s(exc) if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); if (str != mesg) { - rb_iv_set(exc, "mesg", mesg = str); + OBJ_INFECT(str, mesg); } - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); - return mesg; + return str; } /* diff --git a/test/ruby/test_exception.rb b/test/ruby/test_exception.rb index 4c27c52f3c..c5f409117c 100644 --- a/test/ruby/test_exception.rb +++ b/test/ruby/test_exception.rb @@ -184,4 +184,26 @@ class TestException < Test::Unit::TestCase assert(false) end end + + def test_to_s_taintness_propagation + for exc in [Exception, NameError] + m = "abcdefg" + e = exc.new(m) + e.taint + s = e.to_s + assert_equal(false, m.tainted?, + "#{exc}#to_s should not propagate taintness") + assert_equal(false, s.tainted?, + "#{exc}#to_s should not propagate taintness") + end + + o = Object.new + def o.to_str + "foo" + end + o.taint + e = NameError.new(o) + s = e.to_s + assert_equal(true, s.tainted?) + end end