From 3513d07732e00be85d2b3cb49fa9b72a8ed404ec Mon Sep 17 00:00:00 2001
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 1 Sep 2014 17:34:33 +0000
Subject: merge revision(s) r46547: [Backport #9976]

	* hash.c (env_aset, env_has_key, env_assoc, env_has_value),
	  (env_rassoc, env_key): prohibit tainted strings if $SAFE is
	  non-zero.  [Bug #9976]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_1@47346 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog             |  6 ++++
 hash.c                | 14 +++++----
 test/ruby/test_env.rb | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++
 version.h             |  2 +-
 4 files changed, 97 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 326fc7ba0c..4be5d4e6b3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Tue Sep  2 02:21:58 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* hash.c (env_aset, env_has_key, env_assoc, env_has_value),
+	  (env_rassoc, env_key): prohibit tainted strings if $SAFE is
+	  non-zero.  [Bug #9976]
+
 Tue Sep  2 02:08:12 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* signal.c (rb_f_kill): directly enqueue an ignored signal to self,
diff --git a/hash.c b/hash.c
index 85be2decb7..376f33f1ac 100644
--- a/hash.c
+++ b/hash.c
@@ -2876,8 +2876,8 @@ env_aset(VALUE obj, VALUE nm, VALUE val)
 	env_delete(obj, nm);
 	return Qnil;
     }
-    StringValue(nm);
-    StringValue(val);
+    SafeStringValue(nm);
+    SafeStringValue(val);
     name = RSTRING_PTR(nm);
     value = RSTRING_PTR(val);
     if (memchr(name, '\0', RSTRING_LEN(nm)))
@@ -3372,7 +3372,8 @@ env_has_key(VALUE env, VALUE key)
 {
     char *s;
 
-    s = StringValuePtr(key);
+    SafeStringValue(key);
+    s = RSTRING_PTR(key);
     if (memchr(s, '\0', RSTRING_LEN(key)))
 	rb_raise(rb_eArgError, "bad environment variable name");
     if (getenv(s)) return Qtrue;
@@ -3391,7 +3392,8 @@ env_assoc(VALUE env, VALUE key)
 {
     char *s, *e;
 
-    s = StringValuePtr(key);
+    SafeStringValue(key);
+    s = RSTRING_PTR(key);
     if (memchr(s, '\0', RSTRING_LEN(key)))
 	rb_raise(rb_eArgError, "bad environment variable name");
     e = getenv(s);
@@ -3413,6 +3415,7 @@ env_has_value(VALUE dmy, VALUE obj)
 
     obj = rb_check_string_type(obj);
     if (NIL_P(obj)) return Qnil;
+    rb_check_safe_obj(obj);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');
@@ -3443,6 +3446,7 @@ env_rassoc(VALUE dmy, VALUE obj)
 
     obj = rb_check_string_type(obj);
     if (NIL_P(obj)) return Qnil;
+    rb_check_safe_obj(obj);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');
@@ -3473,7 +3477,7 @@ env_key(VALUE dmy, VALUE value)
     char **env;
     VALUE str;
 
-    StringValue(value);
+    SafeStringValue(value);
     env = GET_ENVIRON(environ);
     while (*env) {
 	char *s = strchr(*env, '=');
diff --git a/test/ruby/test_env.rb b/test/ruby/test_env.rb
index 0ada9606ae..ddbdcf24bc 100644
--- a/test/ruby/test_env.rb
+++ b/test/ruby/test_env.rb
@@ -451,4 +451,85 @@ class TestEnv < Test::Unit::TestCase
       end;
     end
   end
+
+  def test_taint_aref
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO".taint]
+      end.call
+    end
+  end
+
+  def test_taint_fetch
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.fetch("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_assoc
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.assoc("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_rassoc
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.rassoc("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_key
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.key("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_key_p
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.key?("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_value_p
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV.value?("FOO".taint)
+      end.call
+    end
+  end
+
+  def test_taint_aset_value
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO"] = "BAR".taint
+      end.call
+    end
+  end
+
+  def test_taint_aset_key
+    assert_raise(SecurityError) do
+      proc do
+        $SAFE = 2
+        ENV["FOO".taint] = "BAR"
+      end.call
+    end
+  end
 end
diff --git a/version.h b/version.h
index d00d06a0a3..890a191344 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.1.2"
 #define RUBY_RELEASE_DATE "2014-09-02"
-#define RUBY_PATCHLEVEL 217
+#define RUBY_PATCHLEVEL 218
 
 #define RUBY_RELEASE_YEAR 2014
 #define RUBY_RELEASE_MONTH 9
-- 
cgit v1.2.3