diff options
author | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-12-20 04:25:01 +0000 |
---|---|---|
committer | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-12-20 04:25:01 +0000 |
commit | cdf1b85ae79cd4fe3995a72b6b861d8eb2a9d664 (patch) | |
tree | 1c82a34ed101c31b778fd36378e24690c0505e4f | |
parent | c08e8886badd47890a54bdc54f1c09de7ad5c8e8 (diff) | |
download | ruby-cdf1b85ae79cd4fe3995a72b6b861d8eb2a9d664.tar.gz |
Fixed command Injection
* lib/resolv.rb (Resolv::Config.parse_resolv_conf): fixed
potential command injection by use of Kernel#open.
[ruby-core:84347] [Bug #14205]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | lib/resolv.rb | 2 | ||||
-rw-r--r-- | test/resolv/test_addr.rb | 11 | ||||
-rw-r--r-- | test/resolv/test_dns.rb | 10 |
3 files changed, 22 insertions, 1 deletions
diff --git a/lib/resolv.rb b/lib/resolv.rb index 56183b837d..48ee400efe 100644 --- a/lib/resolv.rb +++ b/lib/resolv.rb @@ -928,7 +928,7 @@ class Resolv nameserver = [] search = nil ndots = 1 - open(filename, 'rb') {|f| + File.open(filename, 'rb') {|f| f.each {|line| line.sub!(/[#;].*/, '') keyword, *args = line.split(/\s+/) diff --git a/test/resolv/test_addr.rb b/test/resolv/test_addr.rb index 4a2df5bfca..78a28c9633 100644 --- a/test/resolv/test_addr.rb +++ b/test/resolv/test_addr.rb @@ -27,4 +27,15 @@ class TestResolvAddr < Test::Unit::TestCase end end end + + def test_hosts_by_command + Dir.mktmpdir do |dir| + Dir.chdir(dir) do + hosts = Resolv::Hosts.new("|echo error") + assert_raise(Errno::ENOENT) do + hosts.each_name("") {} + end + end + end + end end diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb index f21a094b20..8236078374 100644 --- a/test/resolv/test_dns.rb +++ b/test/resolv/test_dns.rb @@ -179,6 +179,16 @@ class TestResolvDNS < Test::Unit::TestCase end end + def test_resolv_conf_by_command + Dir.mktmpdir do |dir| + Dir.chdir(dir) do + assert_raise(Errno::ENOENT) do + Resolv::DNS::Config.parse_resolv_conf("|echo foo") + end + end + end + end + def test_dots_diffences name1 = Resolv::DNS::Name.create("example.org") name2 = Resolv::DNS::Name.create("ex.ampl.eo.rg") |