* string.c (rb_str_intern): prohibit interning tainted string.

git-svn-id: http://svn.ruby-lang.org/repos/ruby/trunk@10918 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2006-09-13 08:15:21 +0000
committer: matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2006-09-13 08:15:21 +0000
commit: 89014bb6e4d1fb3502efcbff0f5470c108d5bd44 (patch)
tree: 158e56a64b390e4e2ef996530aeb1c053da1e6f8
parent: 21ae83c43e7ed769dddc11b756bd087a4b06613c (diff)
download: ruby-89014bb6e4d1fb3502efcbff0f5470c108d5bd44.tar.gz
ruby-89014bb6e4d1fb3502efcbff0f5470c108d5bd44.tar.xz
ruby-89014bb6e4d1fb3502efcbff0f5470c108d5bd44.zip
2 files changed, 7 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 5f2e473f8..2acdf6450 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Wed Sep 13 16:43:36 2006  Yukihiro Matsumoto  <matz@ruby-lang.org>
+ 
+ 	* string.c (rb_str_intern): prohibit interning tainted string.
+ 
 Wed Sep 13 01:14:02 2006  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* lib/optparse.rb (OptionParser#getopts): works with pre-registered
diff --git a/string.c b/string.c
index 094907fe5..332b6186d 100644
--- a/string.c
+++ b/string.c
@@ -4153,6 +4153,9 @@ rb_str_intern(VALUE s)
     }
     if (strlen(RSTRING_PTR(str)) != RSTRING_LEN(str))
 	rb_raise(rb_eArgError, "symbol string may not contain `\\0'");
+    if (OBJ_TAINTED(str)) {
+	rb_raise(rb_eSecurityError, "Insecure: can't intern tainted string");
+    }
     id = rb_intern(RSTRING_PTR(str));
     return ID2SYM(id);
 }
author	matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2006-09-13 08:15:21 +0000
committer	matz <matz@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2006-09-13 08:15:21 +0000
commit	89014bb6e4d1fb3502efcbff0f5470c108d5bd44 (patch)
tree	158e56a64b390e4e2ef996530aeb1c053da1e6f8
parent	21ae83c43e7ed769dddc11b756bd087a4b06613c (diff)
download	ruby-89014bb6e4d1fb3502efcbff0f5470c108d5bd44.tar.gz ruby-89014bb6e4d1fb3502efcbff0f5470c108d5bd44.tar.xz ruby-89014bb6e4d1fb3502efcbff0f5470c108d5bd44.zip