From d3df9579a5986f72bd5688f08d3bb609edae767b Mon Sep 17 00:00:00 2001
From: yugui <yugui@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 11 May 2009 15:07:00 +0000
Subject: * ext/dl/lib/dl/func.rb (DL::Function#call): prevents   passing
 tainted arguments to a C function.   Patch by sheepman <sheepman AT
 sheepman.sakura.ne.jp>.

* ext/dl/lib/dl/func.rb (DL::Function#check_safe_obj):
  new method for checking #call's arguments.

git-svn-id: http://svn.ruby-lang.org/repos/ruby/branches/ruby_1_9_1@23404 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog             | 9 +++++++++
 ext/dl/lib/dl/func.rb | 8 ++++++++
 2 files changed, 17 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 80b1f0ff4..1de38d363 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Mon May 11 22:33:46 2009  Yuki Sonoda (Yugui)  <yugui@yugui.jp>
+
+	* ext/dl/lib/dl/func.rb (DL::Function#call): prevents
+	  passing tainted arguments to a C function.
+	  Patch by sheepman <sheepman AT sheepman.sakura.ne.jp>.
+
+	* ext/dl/lib/dl/func.rb (DL::Function#check_safe_obj): 
+	  new method for checking #call's arguments.
+
 Tue Mar 10 04:53:16 2009  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* configure.in (MINIRUBY): keep macro into Makefile.
diff --git a/ext/dl/lib/dl/func.rb b/ext/dl/lib/dl/func.rb
index b29aebcc8..a2e6d40fb 100644
--- a/ext/dl/lib/dl/func.rb
+++ b/ext/dl/lib/dl/func.rb
@@ -25,8 +25,16 @@ module DL
       @cfunc.to_i
     end
 
+    def check_safe_obj(val)
+      if $SAFE > 0 and val.tainted?
+        raise SecurityError, 'Insecure operation'
+      end
+    end
+
     def call(*args, &block)
       funcs = []
+      args.each{|e| check_safe_obj(e) }
+      check_safe_obj(block)
       args = wrap_args(args, @stack.types, funcs, &block)
       r = @cfunc.call(@stack.pack(args))
       funcs.each{|f| f.unbind_at_call()}
-- 
cgit