diff options
author | nagai <nagai@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2004-10-07 16:14:29 +0000 |
---|---|---|
committer | nagai <nagai@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2004-10-07 16:14:29 +0000 |
commit | d2eea09f4a1f67faccac9c99bb1e54e49f3e507d (patch) | |
tree | fdf33443f0938ac10650327c3e12385df5385f40 | |
parent | c2f8cec766967673fe59f30c8bd3cf2d5d011250 (diff) | |
download | ruby-d2eea09f4a1f67faccac9c99bb1e54e49f3e507d.tar.gz |
* ext/tk/lib/tk/optiondb.rb: make it more secure
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@7014 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | ext/tk/lib/tk/optiondb.rb | 55 |
2 files changed, 38 insertions, 21 deletions
@@ -1,3 +1,7 @@ +Fri Oct 8 01:13:05 2004 Hidetoshi NAGAI <nagai@ai.kyutech.ac.jp> + + * ext/tk/lib/tk/optiondb.rb: make it more secure + Thu Oct 7 23:47:57 2004 Hidetoshi NAGAI <nagai@ai.kyutech.ac.jp> * ext/tk/lib/tk/scrollbar.rb: When 'set' operation, a scrollbar diff --git a/ext/tk/lib/tk/optiondb.rb b/ext/tk/lib/tk/optiondb.rb index 1f455dfa05..d940f38769 100644 --- a/ext/tk/lib/tk/optiondb.rb +++ b/ext/tk/lib/tk/optiondb.rb @@ -129,13 +129,23 @@ module TkOptionDB # support procs on the resource database @@resource_proc_class = Class.new + + @@resource_proc_class.const_set(:CARRIER, '.'.freeze) + + @@resource_proc_class.instance_variable_set('@method_tbl', + TkCore::INTERP.create_table) + @@resource_proc_class.instance_variable_set('@add_method', false) + @@resource_proc_class.instance_variable_set('@safe_mode', 4) + class << @@resource_proc_class private :new - + +=begin CARRIER = '.'.freeze METHOD_TBL = TkCore::INTERP.create_table ADD_METHOD = false SAFE_MODE = 4 +=end =begin def __closed_block_check__(str) @@ -162,13 +172,15 @@ module TkOptionDB end def method_missing(id, *args) - res_proc, proc_str = self::METHOD_TBL[id] + #res_proc, proc_str = self::METHOD_TBL[id] + res_proc, proc_str = @method_tbl[id] proc_source = TkOptionDB.get(self::CARRIER, id.id2name, '').strip res_proc = nil if proc_str != proc_source # resource is changed unless res_proc.kind_of? Proc - if id == :new || !(self::METHOD_TBL.has_key?(id) || self::ADD_METHOD) + #if id == :new || !(self::METHOD_TBL.has_key?(id) || self::ADD_METHOD) + if id == :new || !(@method_tbl.has_key?(id) || @add_method) raise NoMethodError, "not support resource-proc '#{id.id2name}' for #{self.name}" end @@ -178,14 +190,16 @@ module TkOptionDB proc_str = __check_proc_string__(proc_str) res_proc = proc{ begin - eval("$SAFE = #{self::SAFE_MODE};\nProc.new" + proc_str) + #eval("$SAFE = #{self::SAFE_MODE};\nProc.new" + proc_str) + eval("$SAFE = #{@safe_mode};\nProc.new" + proc_str) rescue SyntaxError=>err raise SyntaxError, TkCore::INTERP._toUTF8(err.message.gsub(/\(eval\):\d:/, "(#{id.id2name}):")) end }.call - self::METHOD_TBL[id] = [res_proc, proc_source] + #self::METHOD_TBL[id] = [res_proc, proc_source] + @method_tbl[id] = [res_proc, proc_source] end res_proc.call(*args) end @@ -266,10 +280,19 @@ module TkOptionDB cmd_klass = Class.new(TkOptionDB.module_eval('@@resource_proc_class')) end cmd_klass.const_set(:CARRIER, carrier.dup.freeze) + + cmd_klass.instance_variable_set('@method_tbl', TkCore::INTERP.create_table) + cmd_klass.instance_variable_set('@add_method', add) + cmd_klass.instance_variable_set('@safe_mode', safe) + func.each{|f| + cmd_klass.instance_variable_get('@method_tbl')[f.to_s.intern] = nil + } +=begin cmd_klass.const_set(:METHOD_TBL, TkCore::INTERP.create_table) cmd_klass.const_set(:ADD_METHOD, add) cmd_klass.const_set(:SAFE_MODE, safe) func.each{|f| cmd_klass::METHOD_TBL[f.to_s.intern] = nil } +=end cmd_klass end @@ -279,25 +302,15 @@ module TkOptionDB def __remove_methods_of_proc_class(klass) # for security, make these methods invalid class << klass -=begin - attr_reader :class_eval, :name, :superclass, - :ancestors, :const_defined?, :const_get, :const_set, - :constants, :included_modules, :instance_methods, - :method_defined?, :module_eval, :private_instance_methods, - :protected_instance_methods, :public_instance_methods, - :remove_const, :remove_method, :undef_method, - :to_s, :inspect, :display, :method, :methods, - :instance_eval, :instance_variables, :kind_of?, :is_a?, - :private_methods, :protected_methods, :public_methods -=end def __null_method(*args); nil; end - [ :class_eval, :name, :superclass, - :ancestors, :const_defined?, :const_get, :const_set, - :constants, :included_modules, :instance_methods, + [ :class_eval, :name, :superclass, :clone, :dup, :autoload, :autoload?, + :ancestors, :const_defined?, :const_get, :const_set, :const_missing, + :class_variables, :constants, :included_modules, :instance_methods, :method_defined?, :module_eval, :private_instance_methods, :protected_instance_methods, :public_instance_methods, - :remove_const, :remove_method, :undef_method, - :to_s, :inspect, :display, :method, :methods, + :singleton_methods, :remove_const, :remove_method, :undef_method, + :to_s, :inspect, :display, :method, :methods, :respond_to?, + :instance_variable_get, :instance_variable_set, :instance_method, :instance_eval, :instance_variables, :kind_of?, :is_a?, :private_methods, :protected_methods, :public_methods ].each{|m| alias_method(m, :__null_method) |