Backport #484 [ruby-core:18377]; Make OpenSSL::Config freeze correctly, preventing further config changes.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_6@28002 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 10 insertions, 0 deletions

diff --git a/ext/openssl/ossl_config.c b/ext/openssl/ossl_config.c
index f1d6a98253..84e163ae3b 100644
--- a/ext/openssl/ossl_config.c
+++ b/ext/openssl/ossl_config.c
@@ -158,6 +158,14 @@ ossl_config_initialize(int argc, VALUE *argv, VALUE self)
     return self;
 }
 
+static void
+rb_ossl_config_modify_check(VALUE config)
+{
+    if (OBJ_FROZEN(config)) rb_error_frozen("OpenSSL::Config");
+    if (!OBJ_TAINTED(config) && rb_safe_level() >= 4)
+        rb_raise(rb_eSecurityError, "Insecure: can't modify OpenSSL config");
+} 
+
 static VALUE
 ossl_config_add_value(VALUE self, VALUE section, VALUE name, VALUE value)
 {
@@ -167,6 +175,7 @@ ossl_config_add_value(VALUE self, VALUE section, VALUE name, VALUE value)
     CONF *conf;
     CONF_VALUE *sv, *cv;
 
+    rb_ossl_config_modify_check(self);
     StringValue(section);
     StringValue(name);
     StringValue(value);
@@ -247,6 +256,7 @@ ossl_config_set_section(VALUE self, VALUE section, VALUE hash)
 {
     VALUE arg[2];
 
+    rb_ossl_config_modify_check(self);
     arg[0] = self;
     arg[1] = section;
     rb_iterate(rb_each, hash, set_conf_section_i, (VALUE)arg);