diff options
author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-12-16 12:08:49 +0000 |
---|---|---|
committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-12-16 12:08:49 +0000 |
commit | 79c7a51893e1c8b95d98728feb7c75bc31671ed8 (patch) | |
tree | 97a2de4140f10c60d5b748c38e2ad3b060330b3a | |
parent | ed57f299b243842e4e874189771d93340aaadddc (diff) | |
download | ruby-79c7a51893e1c8b95d98728feb7c75bc31671ed8.tar.gz |
* ext/fiddle/handle.c: check tainted string arguments.
Patch provided by tenderlove and nobu.
* test/fiddle/test_handle.rb (class TestHandle): add test for above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53153 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | ext/fiddle/handle.c | 17 | ||||
-rw-r--r-- | test/fiddle/test_handle.rb | 17 |
3 files changed, 35 insertions, 7 deletions
@@ -1,3 +1,11 @@ +Wed Dec 16 20:32:43 2015 CHIKANAGA Tomoyuki <nagachika@ruby-lang.org> + + * ext/fiddle/handle.c: check tainted string arguments. + Patch provided by tenderlove and nobu. + + * test/fiddle/test_handle.rb (class TestHandle): add test for above. + + Wed Dec 16 19:30:56 2015 Shugo Maeda <shugo@ruby-lang.org> * vm.c (vm_make_proc_from_block): should convert a Symbol to a Proc. diff --git a/ext/fiddle/handle.c b/ext/fiddle/handle.c index 410442160c..e727ccfd00 100644 --- a/ext/fiddle/handle.c +++ b/ext/fiddle/handle.c @@ -1,6 +1,8 @@ #include <ruby.h> #include <fiddle.h> +#define SafeStringValueCStr(v) (rb_check_safe_obj(rb_string_value(&v)), StringValueCStr(v)) + VALUE rb_cHandle; struct dl_handle { @@ -143,11 +145,11 @@ rb_fiddle_handle_initialize(int argc, VALUE argv[], VALUE self) cflag = RTLD_LAZY | RTLD_GLOBAL; break; case 1: - clib = NIL_P(lib) ? NULL : StringValuePtr(lib); + clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib); cflag = RTLD_LAZY | RTLD_GLOBAL; break; case 2: - clib = NIL_P(lib) ? NULL : StringValuePtr(lib); + clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib); cflag = NUM2INT(flag); break; default: @@ -262,7 +264,7 @@ rb_fiddle_handle_to_i(VALUE self) return PTR2NUM(fiddle_handle); } -static VALUE fiddle_handle_sym(void *handle, const char *symbol); +static VALUE fiddle_handle_sym(void *handle, VALUE symbol); /* * Document-method: sym @@ -281,7 +283,7 @@ rb_fiddle_handle_sym(VALUE self, VALUE sym) rb_raise(rb_eFiddleError, "closed handle"); } - return fiddle_handle_sym(fiddle_handle->ptr, StringValueCStr(sym)); + return fiddle_handle_sym(fiddle_handle->ptr, sym); } #ifndef RTLD_NEXT @@ -304,11 +306,11 @@ rb_fiddle_handle_sym(VALUE self, VALUE sym) static VALUE rb_fiddle_handle_s_sym(VALUE self, VALUE sym) { - return fiddle_handle_sym(RTLD_NEXT, StringValueCStr(sym)); + return fiddle_handle_sym(RTLD_NEXT, sym); } static VALUE -fiddle_handle_sym(void *handle, const char *name) +fiddle_handle_sym(void *handle, VALUE symbol) { #if defined(HAVE_DLERROR) const char *err; @@ -317,6 +319,7 @@ fiddle_handle_sym(void *handle, const char *name) # define CHECK_DLERROR #endif void (*func)(); + const char *name = SafeStringValueCStr(symbol); #ifdef HAVE_DLERROR dlerror(); @@ -365,7 +368,7 @@ fiddle_handle_sym(void *handle, const char *name) } #endif if( !func ){ - rb_raise(rb_eFiddleError, "unknown symbol \"%s\"", name); + rb_raise(rb_eFiddleError, "unknown symbol \"%"PRIsVALUE"\"", symbol); } return PTR2NUM(func); diff --git a/test/fiddle/test_handle.rb b/test/fiddle/test_handle.rb index f14357c6cb..fecf366f4f 100644 --- a/test/fiddle/test_handle.rb +++ b/test/fiddle/test_handle.rb @@ -10,6 +10,23 @@ module Fiddle include Test::Unit::Assertions + def test_safe_handle_open + t = Thread.new do + $SAFE = 1 + Fiddle::Handle.new(LIBC_SO.taint) + end + assert_raise(SecurityError) { t.value } + end + + def test_safe_function_lookup + t = Thread.new do + h = Fiddle::Handle.new(LIBC_SO) + $SAFE = 1 + h["qsort".taint] + end + assert_raise(SecurityError) { t.value } + end + def test_to_i handle = Fiddle::Handle.new(LIBC_SO) assert_kind_of Integer, handle.to_i |