Project

General

Profile

Bug #11855 ยป 0001-Preserve-original-state-for-tainted-and-frozen.patch

k0kubun (Takashi Kokubun), 12/21/2015 03:00 PM

View differences:

ext/cgi/escape/escape.c
25 25
    }
26 26
}
27 27

  
28
static void
29
preserve_original_state(VALUE orig, VALUE dest)
30
{
31
    rb_enc_associate(dest, rb_enc_get(orig));
32

  
33
    if (rb_obj_frozen_p(orig)) {
34
	rb_str_freeze(dest);
35
    }
36

  
37
    if (OBJ_TAINTED(orig)) {
38
	rb_obj_taint(dest);
39
    }
40
}
41

  
28 42
static VALUE
29 43
optimized_escape_html(VALUE str)
30 44
{
......
57 71

  
58 72
    if (modified) {
59 73
	rb_str_cat(dest, cstr + beg, len - beg);
60
	rb_enc_associate(dest, rb_enc_get(str));
74
	preserve_original_state(str, dest);
61 75
	return dest;
62 76
    }
63 77
    else {
test/cgi/test_cgi_util.rb
68 68
    assert_equal(Encoding::UTF_8, CGI::escapeHTML("'&\"><".force_encoding("UTF-8")).encoding)
69 69
  end
70 70

  
71
  def test_cgi_escape_html_preserve_tainted
72
    assert_equal(false, CGI::escapeHTML("'&\"><").tainted?)
73
    assert_equal(true, CGI::escapeHTML("'&\"><".taint).tainted?)
74
  end
75

  
76
  def test_cgi_escape_html_preserve_frozen
77
    assert_equal(false, CGI::escapeHTML("'&\"><".dup).frozen?)
78
    assert_equal(true, CGI::escapeHTML("'&\"><".freeze).frozen?)
79
  end
80

  
71 81
  def test_cgi_unescapeHTML
72 82
    assert_equal("'&\"><", CGI::unescapeHTML("&#39;&amp;&quot;&gt;&lt;"))
73 83
  end
74
-