Fixed command Injection

* lib/resolv.rb (Resolv::Config.parse_resolv_conf): fixed
  potential command injection by use of Kernel#open.
  [ruby-core:84347] [Bug #14205]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2 files changed, 21 insertions, 0 deletions

diff --git a/test/resolv/test_addr.rb b/test/resolv/test_addr.rb
index 4a2df5bfca..78a28c9633 100644
--- a/test/resolv/test_addr.rb
+++ b/test/resolv/test_addr.rb
@@ -27,4 +27,15 @@ class TestResolvAddr < Test::Unit::TestCase
       end
     end
   end
+
+  def test_hosts_by_command
+    Dir.mktmpdir do |dir|
+      Dir.chdir(dir) do
+        hosts = Resolv::Hosts.new("|echo error")
+        assert_raise(Errno::ENOENT) do
+          hosts.each_name("") {}
+        end
+      end
+    end
+  end
 end
diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb
index f21a094b20..8236078374 100644
--- a/test/resolv/test_dns.rb
+++ b/test/resolv/test_dns.rb
@@ -179,6 +179,16 @@ class TestResolvDNS < Test::Unit::TestCase
     end
   end
 
+  def test_resolv_conf_by_command
+    Dir.mktmpdir do |dir|
+      Dir.chdir(dir) do
+        assert_raise(Errno::ENOENT) do
+          Resolv::DNS::Config.parse_resolv_conf("|echo foo")
+        end
+      end
+    end
+  end
+
   def test_dots_diffences
     name1 = Resolv::DNS::Name.create("example.org")
     name2 = Resolv::DNS::Name.create("ex.ampl.eo.rg")