diff options
author | eregon <eregon@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-08-03 16:19:40 +0000 |
---|---|---|
committer | eregon <eregon@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-08-03 16:19:40 +0000 |
commit | b53cf149ad8d7c46572e4567ca949b4f82ebb22c (patch) | |
tree | ee5032bcb38573dade8ba2c46acbcc0d5f3ddfe3 /spec/ruby/security/cve_2010_1330_spec.rb | |
parent | aeeaadaad08038217440c1e9e7c5ca126d7dc633 (diff) | |
download | ruby-b53cf149ad8d7c46572e4567ca949b4f82ebb22c.tar.gz |
Update to ruby/spec@9be7c7e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64180 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'spec/ruby/security/cve_2010_1330_spec.rb')
-rw-r--r-- | spec/ruby/security/cve_2010_1330_spec.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/spec/ruby/security/cve_2010_1330_spec.rb b/spec/ruby/security/cve_2010_1330_spec.rb new file mode 100644 index 0000000000..c41a5e0a2e --- /dev/null +++ b/spec/ruby/security/cve_2010_1330_spec.rb @@ -0,0 +1,21 @@ +require_relative '../spec_helper' + +describe "String#gsub" do + + it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do + # This original vulnerability talked about KCODE, which is no longer + # used. Instead we are forcing encodings here. But I think the idea is the + # same - we want to check that Ruby implementations raise an error on + # #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte + # sequence. + + str = "\xF6<script>" + str.force_encoding Encoding::ASCII_8BIT + str.gsub(/</, "<").should == "\xF6<script>".b + str.force_encoding Encoding::UTF_8 + lambda { + str.gsub(/</, "<") + }.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/) + end + +end |