6 files changed, 29 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index a65ba334a0..a884e91d24 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+Fri Nov 10 16:15:53 2000  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* parse.y (yylex): eval("^") caused infinite loop.
+
+Thu Nov  9 14:22:13 2000  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* io.c (rb_io_taint_check): should check IO taintness; no
+	  operation for untainted IO should be allowed in the sandbox.
+
+	* rubyio.h (GetOpenFile): check IO taintness inside using
+	  rb_io_taint_check().
+
 Wed Nov  8 03:08:53 2000  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
 	* io.c (io_fflush): ensure fflush(3) would not block by calling
diff --git a/io.c b/io.c
index 626cee7934..8394f9768b 100644
--- a/io.c
+++ b/io.c
@@ -143,6 +143,15 @@ rb_eof_error()
     rb_raise(rb_eEOFError, "End of file reached");
 }
 
+VALUE
+rb_io_taint_check(io)
+    VALUE io;
+{
+    if (!OBJ_TAINTED(io) && rb_safe_level() >= 4)
+	rb_raise(rb_eSecurityError, "Insecure: operation on untainted IO");
+    return io;
+}
+
 void
 rb_io_check_closed(fptr)
     OpenFile *fptr;
diff --git a/parse.y b/parse.y
index 2e1882626b..bf391cf839 100644
--- a/parse.y
+++ b/parse.y
@@ -3280,12 +3280,12 @@ yylex()
 
       case '^':
 	lex_state = EXPR_BEG;
-	if (nextc() == '=') {
+	if ((c = nextc()) == '=') {
 	    yylval.id = '^';
 	    return tOP_ASGN;
 	}
 	pushback(c);
-	return c;
+	return '^';
 
       case ',':
       case ';':
diff --git a/regex.c b/regex.c
index d4c1c2a915..3287fc3207 100644
--- a/regex.c
+++ b/regex.c
@@ -3766,6 +3766,7 @@ re_match(bufp, string_arg, size, pos, regs)
 
       case start_nowidth:
 	PUSH_FAILURE_POINT(0, d);
+	printf("%d > %d\n", stackp - stackb, RE_DUP_MAX);
 	if (stackp - stackb > RE_DUP_MAX) {
 	   FREE_AND_RETURN(stackb,(-2));
 	}
diff --git a/rubyio.h b/rubyio.h
index 2a3455dbe2..00d55baea1 100644
--- a/rubyio.h
+++ b/rubyio.h
@@ -32,7 +32,7 @@ typedef struct OpenFile {
 #define FMODE_BINMODE   4
 #define FMODE_SYNC      8
 
-#define GetOpenFile(obj,fp) rb_io_check_closed((fp) = RFILE(obj)->fptr)
+#define GetOpenFile(obj,fp) rb_io_check_closed((fp) = RFILE(rb_io_taint_check(obj))->fptr)
 
 #define MakeOpenFile(obj, fp) do {\
     fp = 0;\
@@ -57,6 +57,8 @@ void rb_io_check_readable _((OpenFile*));
 void rb_io_fptr_finalize _((OpenFile*));
 void rb_io_synchronized _((OpenFile*));
 void rb_io_check_closed _((OpenFile*));
+
+VALUE rb_io_taint_check _((VALUE));
 void rb_eof_error _((void));
 
 void rb_read_check _((FILE*));
diff --git a/version.h b/version.h
index 8dd99cfa7e..6d6ca73556 100644
--- a/version.h
+++ b/version.h
@@ -1,4 +1,4 @@
 #define RUBY_VERSION "1.6.2"
-#define RUBY_RELEASE_DATE "2000-11-08"
+#define RUBY_RELEASE_DATE "2000-11-10"
 #define RUBY_VERSION_CODE 162
-#define RUBY_RELEASE_CODE 20001108
+#define RUBY_RELEASE_CODE 20001110