Update to ruby/spec@9be7c7e

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64180 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 21 insertions, 0 deletions

diff --git a/spec/ruby/security/cve_2010_1330_spec.rb b/spec/ruby/security/cve_2010_1330_spec.rb
new file mode 100644
index 0000000000..c41a5e0a2e
--- /dev/null
+++ b/spec/ruby/security/cve_2010_1330_spec.rb
@@ -0,0 +1,21 @@
+require_relative '../spec_helper'
+
+describe "String#gsub" do
+
+  it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do
+    # This original vulnerability talked about KCODE, which is no longer
+    # used. Instead we are forcing encodings here. But I think the idea is the
+    # same - we want to check that Ruby implementations raise an error on
+    # #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte
+    # sequence.
+
+    str = "\xF6<script>"
+    str.force_encoding Encoding::ASCII_8BIT
+    str.gsub(/</, "&lt;").should == "\xF6&lt;script>".b
+    str.force_encoding Encoding::UTF_8
+    lambda {
+      str.gsub(/</, "&lt;")
+    }.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/)
+  end
+
+end