From 2ca6c3a16a4b83f9ff809e95778a5e9c330b6384 Mon Sep 17 00:00:00 2001
From: matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 9 Sep 2005 13:15:16 +0000
Subject: * eval.c (rb_call0): prohibit calling tainted method (>2) when  
 $SAFE == 0.

* sprintf.c (rb_f_sprintf): warn "too many argument" on verbose
  mode (-v/-w); backported from 1.9.  [ruby-dev:26963]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@9108 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 eval.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'eval.c')

diff --git a/eval.c b/eval.c
index e305a3b821..ebb91e5cba 100644
--- a/eval.c
+++ b/eval.c
@@ -363,8 +363,10 @@ static ID init, eqq, each, aref, aset, match, missing;
 static ID added, singleton_added;
 static ID __id__, __send__, respond_to;
 
-#define NOEX_WITH_SAFE(n) ((n) | ruby_safe_level << 4)
+#define NOEX_TAINTED 8
 #define NOEX_SAFE(n) ((n) >> 4)
+#define NOEX_WITH(n, v) ((n) | (v) << 4)
+#define NOEX_WITH_SAFE(n) NOEX_WITH(n, ruby_safe_level)
 
 void
 rb_add_method(klass, mid, node, noex)
@@ -5717,12 +5719,16 @@ rb_call0(klass, recv, id, oid, argc, argv, body, flags)
 	    }
 	    b2 = body = body->nd_next;
 
-	    PUSH_VARS();
-	    PUSH_TAG(PROT_FUNC);
 	    if (NOEX_SAFE(flags) > ruby_safe_level) {
+		if (!(flags&NOEX_TAINTED) && ruby_safe_level == 0 && NOEX_SAFE(flags) > 2) {
+		    rb_raise(rb_eSecurityError, "calling insecure method: %s",
+			     rb_id2name(id));
+		}
 		safe = ruby_safe_level;
 		ruby_safe_level = NOEX_SAFE(flags);
 	    }
+	    PUSH_VARS();
+	    PUSH_TAG(PROT_FUNC);
 	    if ((state = EXEC_TAG()) == 0) {
 		NODE *node = 0;
 		int i;
@@ -8948,14 +8954,20 @@ method_call(argc, argv, method)
 {
     VALUE result = Qnil;	/* OK */
     struct METHOD *data;
+    int safe;
 
     Data_Get_Struct(method, struct METHOD, data);
     if (data->recv == Qundef) {
 	rb_raise(rb_eTypeError, "can't call unbound method; bind first");
     }
+    if (OBJ_TAINTED(method)) {
+        safe = NOEX_WITH(data->safe_level, 4)|NOEX_TAINTED;
+    }
+    else {
+	safe = data->safe_level;
+    }
     PUSH_ITER(rb_block_given_p()?ITER_PRE:ITER_NOT);
-    result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,
-		      data->safe_level);
+    result = rb_call0(data->klass,data->recv,data->id,data->oid,argc,argv,data->body,safe);
     POP_ITER();
     return result;
 }
-- 
cgit v1.2.3