diff options
Diffstat (limited to 'eval.c')
-rw-r--r-- | eval.c | 22 |
1 files changed, 17 insertions, 5 deletions
@@ -363,8 +363,10 @@ static ID init, eqq, each, aref, aset, match, missing; static ID added, singleton_added; static ID __id__, __send__, respond_to; -#define NOEX_WITH_SAFE(n) ((n) | ruby_safe_level << 4) +#define NOEX_TAINTED 8 #define NOEX_SAFE(n) ((n) >> 4) +#define NOEX_WITH(n, v) ((n) | (v) << 4) +#define NOEX_WITH_SAFE(n) NOEX_WITH(n, ruby_safe_level) void rb_add_method(klass, mid, node, noex) @@ -5717,12 +5719,16 @@ rb_call0(klass, recv, id, oid, argc, argv, body, flags) } b2 = body = body->nd_next; - PUSH_VARS(); - PUSH_TAG(PROT_FUNC); if (NOEX_SAFE(flags) > ruby_safe_level) { + if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) { + rb_raise(rb_eSecurityError, "calling insecure method: %s", + rb_id2name(id)); + } safe = ruby_safe_level; ruby_safe_level = NOEX_SAFE(flags); } + PUSH_VARS(); + PUSH_TAG(PROT_FUNC); if ((state = EXEC_TAG()) == 0) { NODE *node = 0; int i; @@ -8948,14 +8954,20 @@ method_call(argc, argv, method) { VALUE result = Qnil; /* OK */ struct METHOD *data; + int safe; Data_Get_Struct(method, struct METHOD, data); if (data->recv == Qundef) { rb_raise(rb_eTypeError, "can't call unbound method; bind first"); } + if (OBJ_TAINTED(method)) { + safe = NOEX_WITH(data->safe_level, 4)|NOEX_TAINTED; + } + else { + safe = data->safe_level; + } PUSH_ITER(rb_block_given_p()?ITER_PRE:ITER_NOT); - result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body, - data->safe_level); + result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,safe); POP_ITER(); return result; } |