From b53cf149ad8d7c46572e4567ca949b4f82ebb22c Mon Sep 17 00:00:00 2001
From: eregon <eregon@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 3 Aug 2018 16:19:40 +0000
Subject: Update to ruby/spec@9be7c7e

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64180 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 spec/ruby/security/cve_2010_1330_spec.rb | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 spec/ruby/security/cve_2010_1330_spec.rb

(limited to 'spec/ruby/security')

diff --git a/spec/ruby/security/cve_2010_1330_spec.rb b/spec/ruby/security/cve_2010_1330_spec.rb
new file mode 100644
index 0000000000..c41a5e0a2e
--- /dev/null
+++ b/spec/ruby/security/cve_2010_1330_spec.rb
@@ -0,0 +1,21 @@
+require_relative '../spec_helper'
+
+describe "String#gsub" do
+
+  it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do
+    # This original vulnerability talked about KCODE, which is no longer
+    # used. Instead we are forcing encodings here. But I think the idea is the
+    # same - we want to check that Ruby implementations raise an error on
+    # #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte
+    # sequence.
+
+    str = "\xF6<script>"
+    str.force_encoding Encoding::ASCII_8BIT
+    str.gsub(/</, "&lt;").should == "\xF6&lt;script>".b
+    str.force_encoding Encoding::UTF_8
+    lambda {
+      str.gsub(/</, "&lt;")
+    }.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/)
+  end
+
+end
-- 
cgit v1.2.1