From fe3c49c9baeeab58304ede915b7edd18ecf360fc Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sat, 3 Jul 2021 17:10:28 +0000
Subject: merge revision(s) b1c73f23,c9ab8fe2: [Backport #17877]

	[ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799

	https://github.com/ruby/rdoc/commit/a7f5d6ab88

	The test for command injection on Unix platforms should be omitted on Windows


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67947 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 test/rdoc/test_rdoc_rdoc.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'test')

diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
index 3bce54b243..123b1a4f87 100644
--- a/test/rdoc/test_rdoc_rdoc.rb
+++ b/test/rdoc/test_rdoc_rdoc.rb
@@ -420,6 +420,18 @@ class TestRDocRDoc < RDoc::TestCase
     end
   end
 
+  def test_remove_unparseable_CVE_2021_31799
+    skip 'for Un*x platforms' if Gem.win_platform?
+    temp_dir do
+      file_list = ['| touch evil.txt && echo tags']
+      file_list.each do |f|
+        FileUtils.touch f
+      end
+      assert_equal file_list, @rdoc.remove_unparseable(file_list)
+      assert_equal file_list, Dir.children('.')
+    end
+  end
+
   def test_setup_output_dir
     Dir.mktmpdir {|d|
       path = File.join d, 'testdir'
-- 
cgit v1.2.3