diff options
| author | matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2005-10-05 16:15:16 +0000 |
|---|---|---|
| committer | matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2005-10-05 16:15:16 +0000 |
| commit | 22f1926644a213a39cd8a3f83a80518e5c15797f (patch) | |
| tree | 664beb18420f4bc9329dc37e52bdeafbf000037a /file.c | |
| parent | 313e0cb56aedfceb0bfaab2e430d2211c5e2043b (diff) | |
* range.c (rb_range_beg_len): should return Qfalse for non-range
object.
* pack.c (EXTEND16): [ruby-dev:27383]
* eval.c (set_trace_func): add rb_secure(4) to prevent adding
tracing function.
* lib/delegate.rb: document update from James Edward Gray II
<james@grayproductions.net>. [ruby-core:05942]
* process.c (proc_daemon): should restrict execution on levels
higher than $SAFE=2. suggested by URABE Shyouhei
<shyouhei@ice.uec.ac.jp>.
* lib/forwardable.rb: replaced by new implementation from
<Daniel.Berger@qwest.com>. [ruby-core:05899]
* file.c (path_check_0): disallow sticky world writable directory
in PATH (and $LOAD_PATH). [ruby-dev:27226]
* numeric.c (fix_idiv): 1.div(1.0) should return integer value.
[ruby-dev:27235]
* lib/yaml.rb: require 'yaml/constants'. [ruby-core:5776]
* lib/xmlrpc/client.rb (XMLRPC::Client::do_rpc): add charset
information to content-type header.[ruby-core:5127]
* lib/xmlrpc/server.rb (CGIServer::serve): ditto.
* lib/xmlrpc/server.rb (ModRubyServer::serve): ditto.
* lib/xmlrpc/server.rb (WEBrickServlet::service): ditto.
* test/dbm/test_dbm.rb (TestDBM::test_s_open_error): remove
test_s_open_error test to detect duplicate open.
[ruby-dev:27202]
* eval.c (splat_value): use to_a to splat non Array object.
* object.c (nil_to_a): remove nil.to_a. [experimental]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@9349 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'file.c')
| -rw-r--r-- | file.c | 25 |
1 files changed, 18 insertions, 7 deletions
@@ -3840,7 +3840,7 @@ is_absolute_path(const char *path) #ifndef DOSISH static int -path_check_1(VALUE path) +path_check_0(VALUE path, int loadpath) { struct stat st; char *p0 = StringValueCStr(path); @@ -3855,7 +3855,7 @@ path_check_1(VALUE path) rb_str_cat2(newpath, "/"); rb_str_cat2(newpath, p0); - return path_check_1(newpath); + return path_check_0(newpath, loadpath); } for (;;) { #ifndef S_IWOTH @@ -3863,7 +3863,7 @@ path_check_1(VALUE path) #endif if (stat(p0, &st) == 0 && S_ISDIR(st.st_mode) && (st.st_mode & S_IWOTH) #ifdef S_ISVTX - && !(st.st_mode & S_ISVTX) + && (loadpath || !(st.st_mode & S_ISVTX)) #endif && !access(p0, W_OK)) { rb_warn("Insecure world writable dir %s, mode 0%o", p0, st.st_mode); @@ -3879,6 +3879,17 @@ path_check_1(VALUE path) } #endif +static int +fpath_check(path) + char *path; +{ +#ifndef DOSISH + return path_check_0(rb_str_new2(path), Qfalse); +#else + return 1; +#endif +} + int rb_path_check(const char *path) { @@ -3894,7 +3905,7 @@ rb_path_check(const char *path) if (!p) p = pend; for (;;) { - if (!path_check_1(rb_str_new(p0, p - p0))) { + if (!path_check_0(rb_str_new(p0, p - p0), Qtrue)) { return 0; /* not safe */ } p0 = p + 1; @@ -4001,7 +4012,7 @@ rb_find_file(VALUE path) #if defined(__MACOS__) || defined(riscos) if (is_macos_native_path(f)) { - if (rb_safe_level() >= 1 && !rb_path_check(f)) { + if (rb_safe_level() >= 1 && !fpath_check(f)) { rb_raise(rb_eSecurityError, "loading from unsafe file %s", f); } if (file_load_ok(f)) return path; @@ -4009,7 +4020,7 @@ rb_find_file(VALUE path) #endif if (is_absolute_path(f)) { - if (rb_safe_level() >= 1 && !rb_path_check(f)) { + if (rb_safe_level() >= 1 && !fpath_check(f)) { rb_raise(rb_eSecurityError, "loading from unsafe file %s", f); } if (file_load_ok(f)) return path; @@ -4050,7 +4061,7 @@ rb_find_file(VALUE path) return 0; /* no path, no load */ } f = dln_find_file(f, lpath); - if (rb_safe_level() >= 1 && !rb_path_check(f)) { + if (rb_safe_level() >= 1 && !fpath_check(f)) { rb_raise(rb_eSecurityError, "loading from unsafe file %s", f); } if (file_load_ok(f)) { |