Actions
Bug #4451
closedDate#step does not raise ArgumentError for 0 step
ruby -v:
ruby 1.9.3dev (2011-02-16 trunk 30888) [x86_64-openbsd4.9]
Backport:
Description
=begin
Numeric#step:
$ ruby -e '1.step(2, 0){}'
-e:1:in step': step can't be 0 (ArgumentError) from -e:1:in
'
Range#step:
$ ruby -r date -e '(0..1).step(0){}'
-e:1:in step': step can't be 0 (ArgumentError) from -e:1:in
'
Date#step:
ruby -r date -e 'Date.today.step(Date.today, 0){}'
infinite loop¶
There is already a check for this in date.rb, but it is commented out. It was added in r13408, over 3 years ago. The lack of this check can cause a denial of service if the step value is controlled by the attacker. The attached patch enables the check and adds a test for it.
=end
Files
Actions
Like0
Like0Like0Like0