diff options
| author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-07-25 23:11:57 +0000 |
|---|---|---|
| committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-07-25 23:11:57 +0000 |
| commit | c2ce9eb9d88593870f68f5476ecc20cff99669db (patch) | |
| tree | 5854965142188d2a9b21650d2f409f6f5491d5eb | |
| parent | f5022fcf06982ab54fbf32848e3ae6d3234f070d (diff) | |
merge revision(s) a15f7dd1fb1148c3d586238ee6907875f2e40379: [Backport #15803]
Always mark the string returned by File.realpath as tainted
This string can include elements that were not in either string
passed to File.realpath, even if one of the strings is an
absolute path, due to symlinks:
```ruby
Dir.mkdir('b') unless File.directory?('b')
File.write('b/a', '') unless File.file?('b/a')
File.symlink('b', 'c') unless File.symlink?('c')
path = File.realpath('c/a'.untaint, Dir.pwd.untaint)
path # "/home/testr/ruby/b/a"
path.tainted? # should be true, as 'b' comes from file system
```
[Bug #15803]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67713 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | file.c | 2 | ||||
| -rw-r--r-- | test/ruby/test_file.rb | 2 | ||||
| -rw-r--r-- | version.h | 6 |
3 files changed, 5 insertions, 5 deletions
@@ -4152,7 +4152,7 @@ rb_check_realpath_internal(VALUE basedir, VALUE path, enum rb_realpath_mode mode } } - OBJ_INFECT(resolved, unresolved_path); + rb_obj_taint(resolved); RB_GC_GUARD(unresolved_path); RB_GC_GUARD(curdir); return resolved; diff --git a/test/ruby/test_file.rb b/test/ruby/test_file.rb index 5e9574cf32..36c154d36c 100644 --- a/test/ruby/test_file.rb +++ b/test/ruby/test_file.rb @@ -298,7 +298,7 @@ class TestFile < Test::Unit::TestCase assert_predicate(File.realpath(base, dir), :tainted?) base.untaint dir.untaint - assert_not_predicate(File.realpath(base, dir), :tainted?) + assert_predicate(File.realpath(base, dir), :tainted?) assert_predicate(Dir.chdir(dir) {File.realpath(base)}, :tainted?) } end @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.6.3" #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 65 +#define RUBY_PATCHLEVEL 66 #define RUBY_RELEASE_YEAR 2019 -#define RUBY_RELEASE_MONTH 6 -#define RUBY_RELEASE_DAY 22 +#define RUBY_RELEASE_MONTH 7 +#define RUBY_RELEASE_DAY 26 #include "ruby/version.h" |