diff options
-rw-r--r-- | file.c | 6 | ||||
-rw-r--r-- | test/ruby/test_require.rb | 22 |
2 files changed, 25 insertions, 3 deletions
@@ -5840,7 +5840,7 @@ rb_find_file_safe(VALUE path, int safe_level) if (f[0] == '~') { tmp = file_expand_path_1(path); if (safe_level >= 1 && OBJ_TAINTED(tmp)) { - rb_raise(rb_eSecurityError, "loading from unsafe file %s", f); + rb_raise(rb_eSecurityError, "loading from unsafe file %"PRIsVALUE, tmp); } path = copy_path_class(tmp, path); f = RSTRING_PTR(path); @@ -5849,7 +5849,7 @@ rb_find_file_safe(VALUE path, int safe_level) if (expanded || rb_is_absolute_path(f) || is_explicit_relative(f)) { if (safe_level >= 1 && !fpath_check(path)) { - rb_raise(rb_eSecurityError, "loading from unsafe path %s", f); + rb_raise(rb_eSecurityError, "loading from unsafe path %"PRIsVALUE, path); } if (!rb_file_load_ok(f)) return 0; if (!expanded) @@ -5881,7 +5881,7 @@ rb_find_file_safe(VALUE path, int safe_level) found: if (safe_level >= 1 && !fpath_check(tmp)) { - rb_raise(rb_eSecurityError, "loading from unsafe file %s", f); + rb_raise(rb_eSecurityError, "loading from unsafe file %"PRIsVALUE, tmp); } return copy_path_class(tmp, path); diff --git a/test/ruby/test_require.rb b/test/ruby/test_require.rb index 8dacd1ea12..dad7630e50 100644 --- a/test/ruby/test_require.rb +++ b/test/ruby/test_require.rb @@ -87,6 +87,17 @@ class TestRequire < Test::Unit::TestCase end end + SECURITY_WARNING = + if /mswin|mingw/ =~ RUBY_PLATFORM + nil + else + proc do |require_path| + File.chmod(0777, File.dirname(require_path)) + $SAFE = 1 + require(require_path) + end + end + def assert_require_nonascii_path(encoding, bug) Dir.mktmpdir {|tmp| dir = "\u3042" * 5 @@ -109,6 +120,17 @@ class TestRequire < Test::Unit::TestCase assert_equal(self.class.ospath_encoding(require_path), $:.last.encoding, '[Bug #8753]') assert(!require(require_path), bug) } + $:.replace(load_path) + $".replace(features) + if SECURITY_WARNING + require_path.untaint + ospath = require_path.encode(self.class.ospath_encoding(require_path)) + assert_warn(/Insecure world writable dir/) do + assert_raise_with_message(SecurityError, "loading from unsafe path #{ospath}") do + SECURITY_WARNING.call(require_path) + end + end + end ensure $:.replace(load_path) $".replace(features) |