merge revision(s) 30903:

* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): Test for below. * error.c (exc_to_s): untainted strings can be tainted via Exception#to_s, which enables attackers to overwrite sane strings. Reported by: Yusuke Endoh <mame at tsg.ne.jp>. * error.c (name_err_to_s): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@30911 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2011-02-18 12:32:35 +0000
committer: shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2011-02-18 12:32:35 +0000
commit: 03022c9d9f686b87d66443eaf38fd7b0e7db5b69 (patch)
tree: 4d8b2c6fac744adc97bbf17a8985e38d1302e806 /error.c
parent: 4f4dc7b2afd0cd516836f6dcfa55419cc088b23a (diff)
1 files changed, 2 insertions, 4 deletions
diff --git a/error.c b/error.c
index a991f55e57..59b445e915 100644
--- a/error.c
+++ b/error.c
@@ -403,7 +403,6 @@ exc_to_s(exc)
     VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
 
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
     return mesg;
 }
 
@@ -667,10 +666,9 @@ name_err_to_s(exc)
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
     StringValue(str);
     if (str != mesg) {
-	rb_iv_set(exc, "mesg", mesg = str);
+	OBJ_INFECT(str, mesg);
     }
-    if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
-    return mesg;
+    return str;
 }
 
 /*
author	shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2011-02-18 12:32:35 +0000
committer	shyouhei <shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2011-02-18 12:32:35 +0000
commit	03022c9d9f686b87d66443eaf38fd7b0e7db5b69 (patch)
tree	4d8b2c6fac744adc97bbf17a8985e38d1302e806 /error.c
parent	4f4dc7b2afd0cd516836f6dcfa55419cc088b23a (diff)