Jeremy Evans a15f7dd1fb Always mark the string returned by File.realpath as tainted ... This string can include elements that were not in either string passed to File.realpath, even if one of the strings is an absolute path, due to symlinks: ```ruby Dir.mkdir('b') unless File.directory?('b') File.write('b/a', '') unless File.file?('b/a') File.symlink('b', 'c') unless File.symlink?('c') path = File.realpath('c/a'.untaint, Dir.pwd.untaint) path # "/home/testr/ruby/b/a" path.tainted? # should be true, as 'b' comes from file system ``` [Bug #15803]		2019-04-28 10:47:51 +09:00
..
-ext-
base64
benchmark
bigdecimal
cgi
coverage
csv
date
dbm
digest
drb
dtrace
erb
etc
excludes
fiddle
fileutils
gdbm
io
irb
json
lib
logger
matrix
minitest
misc
mkmf
monitor
net
nkf
objspace
open-uri
openssl
optparse
ostruct
pathname
psych
rdoc
readline
resolv
rexml
rinda
ripper
rss
ruby
rubygems
scanf
sdbm
shell
socket
stringio
strscan
syslog
testunit
uri
webrick
win32ole
yaml
zlib
colors
runner.rb
test_abbrev.rb
test_cmath.rb
test_delegate.rb
test_extlibs.rb
test_find.rb
test_forwardable.rb
test_ipaddr.rb
test_mutex_m.rb
test_observer.rb
test_open3.rb
test_pp.rb
test_prettyprint.rb
test_prime.rb
test_pstore.rb
test_pty.rb
test_rbconfig.rb
test_securerandom.rb
test_set.rb
test_shellwords.rb
test_singleton.rb
test_sync.rb
test_syslog.rb
test_tempfile.rb
test_time.rb
test_timeout.rb
test_tmpdir.rb
test_tracer.rb
test_tsort.rb
test_unicode_normalize.rb
test_weakref.rb
test_win32api.rb