* error.c (exc_to_s): untainted strings can be tainted via

Exception#to_s, which enables attackers to overwrite sane strings. Reported by: Yusuke Endoh <mame at tsg.ne.jp>. * error.c (name_err_to_s): ditto. * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): Test for it. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@30903 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2011-02-18 11:05:02 +00:00 · 2011-02-18 11:05:02 +00:00 · fca16b0c57
commit fca16b0c57
parent 0d672545f1
3 changed files with 37 additions and 4 deletions
--- a/test/ruby/test_exception.rb
+++ b/test/ruby/test_exception.rb
@ -184,4 +184,26 @@ class TestException < Test::Unit::TestCase
      assert(false)
    end
  end
+
+  def test_to_s_taintness_propagation
+    for exc in [Exception, NameError]
+      m = "abcdefg"
+      e = exc.new(m)
+      e.taint
+      s = e.to_s
+      assert_equal(false, m.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+      assert_equal(false, s.tainted?,
+                   "#{exc}#to_s should not propagate taintness")
+    end
+    
+    o = Object.new
+    def o.to_str
+      "foo"
+    end
+    o.taint
+    e = NameError.new(o)
+    s = e.to_s
+    assert_equal(true, s.tainted?)
+  end
 end