https://bugs.ruby-lang.org/https://bugs.ruby-lang.org/favicon.ico?17113305112011-09-28T04:02:53ZRuby Issue Tracking SystemRuby master - Bug #5374: Weird SecurityError with ruby1.9, File.stat/Dir.glob and $SAFE=1https://bugs.ruby-lang.org/issues/5374?journal_id=210322011-09-28T04:02:53Z375gnu (Hleb Valoshka)
<ul><li><strong>File</strong> <a href="/attachments/2101">test.rb</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2101/test.rb">test.rb</a> added</li><li><strong>File</strong> <a href="/attachments/2102">test.log</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2102/test.log">test.log</a> added</li><li><strong>File</strong> <a href="/attachments/2103">gettext-test.rb</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2103/gettext-test.rb">gettext-test.rb</a> added</li><li><strong>File</strong> <a href="/attachments/2104">gettext-debian.log</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2104/gettext-debian.log">gettext-debian.log</a> added</li><li><strong>File</strong> <a href="/attachments/2105">gettex-win.log</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2105/gettex-win.log">gettex-win.log</a> added</li></ul> Ruby master - Bug #5374: Weird SecurityError with ruby1.9, File.stat/Dir.glob and $SAFE=1https://bugs.ruby-lang.org/issues/5374?journal_id=244242012-03-11T16:11:33Zko1 (Koichi Sasada)
<ul><li><strong>Assignee</strong> set to <i>mame (Yusuke Endoh)</i></li></ul> Ruby master - Bug #5374: Weird SecurityError with ruby1.9, File.stat/Dir.glob and $SAFE=1https://bugs.ruby-lang.org/issues/5374?journal_id=245312012-03-12T10:24:53Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Feedback</i></li></ul><p>Does this happen with recent versions?</p> Ruby master - Bug #5374: Weird SecurityError with ruby1.9, File.stat/Dir.glob and $SAFE=1https://bugs.ruby-lang.org/issues/5374?journal_id=279532012-07-12T07:38:11Z375gnu (Hleb Valoshka)
<ul></ul><p>nobu (Nobuyoshi Nakada) wrote:</p>
<blockquote>
<p>Does this happen with recent versions?</p>
</blockquote>
<p>Yes, at least with 1.9.3p194 (2012-04-20 revision 35410) [x86_64-linux].</p>
<p>And today I've made some investigations.</p>
<p>File.stat is rb_file_s_stat, which calls rb_get_path, which calls rb_get_path_check, which at very end calls rb_str_new4, which actually is rb_str_new_frozen.</p>
<p>As value passed to rb_str_new_frozen (filename) isn't frozen, it creates new string (see file string.c, line 679):<br>
if (STR_SHARED_P(orig) && (str = RSTRING(orig)->as.heap.aux.shared)) {...} and that "new" string is returned to rb_get_path_check.</p>
<p><em>This str is tainted!</em></p>
<p>I also have found more simple way to reproduce the bug:</p>
<p>ruby -e '$SAFE=1;File.stat(("12345678901234567890123"+"4".taint).dup.untaint)'</p>
<p>Argument to stat sh'ld be at least 24 bytes on 64bit box.</p>
<p>I haven't checked again bug with glob on Win32, but suppose that it has the same nature but it didn't expressed itself on my Debian boxes cause they are 64bit. In few days I can check it on 32bit Debian.</p> Ruby master - Bug #5374: Weird SecurityError with ruby1.9, File.stat/Dir.glob and $SAFE=1https://bugs.ruby-lang.org/issues/5374?journal_id=279582012-07-12T11:44:30Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>This issue was solved with changeset r36373.<br>
Hleb , thank you for reporting this issue.<br>
Your contribution to Ruby is greatly appreciated.<br>
May Ruby be with you.</p>
<hr>
<p>rb_str_new_frozen: new object if tainted/untrusted unmatch</p>
<ul>
<li>string.c (rb_str_new_frozen): since the result object should have<br>
same tainted/untrusted bits with the original object, return new<br>
object if the shared object unmatch. <a href="/issues/5374">[ruby-core:39745]</a>[Bug <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Weird SecurityError with ruby1.9, File.stat/Dir.glob and $SAFE=1 (Closed)" href="https://bugs.ruby-lang.org/issues/5374">#5374</a>]</li>
</ul>