* error.c (name_err_to_s): we need not infect msg.

shyouhei · shyouhei · commit 2ac236dcbd90 · 2012-10-12T04:05:35.000Z
* test/ruby/test_exception.rb (TestException#test_exception_to_s_should_not_propagate_untrustedness): test for it.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@37148 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+Fri Oct 12 12:25:15 2012  URABE Shyouhei  <shyouhei@ruby-lang.org>
+
+	* error.c (name_err_to_s): we need not infect msg.
+
+	* test/ruby/test_exception.rb (TestException#test_exception_to_s_should_not_propagate_untrustedness): test for it.
+
 Fri Jun 29 21:26:05 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* eval.c (stack_extend): prevent ALLOCA_N, which reserves a memory
diff --git a/error.c b/error.c
@@ -665,9 +665,6 @@ name_err_to_s(exc)
 
     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
     StringValue(str);
-    if (str != mesg) {
-	OBJ_INFECT(str, mesg);
-    }
     return str;
 }
 
diff --git a/test/ruby/test_exception.rb b/test/ruby/test_exception.rb
@@ -204,6 +204,34 @@ def o.to_str
     o.taint
     e = NameError.new(o)
     s = e.to_s
-    assert_equal(true, s.tainted?)
+    assert_equal(false, s.tainted?)
+  end
+
+  def test_exception_to_s_should_not_propagate_untrustedness
+    favorite_lang = "Ruby"
+
+    for exc in [Exception, NameError]
+      assert_raise(SecurityError) do
+        lambda {
+          $SAFE = 4
+          exc.new(favorite_lang).to_s
+          favorite_lang.replace("Python")
+        }.call
+      end
+    end
+
+    assert_raise(SecurityError) do
+      lambda {
+        $SAFE = 4
+        o = Object.new
+        (class << o; self; end).send(:define_method, :to_str) {
+          favorite_lang
+        }
+        NameError.new(o).to_s
+        favorite_lang.replace("Python")
+      }.call
+    end
+
+    assert_equal("Ruby", favorite_lang)
   end
 end
diff --git a/version.h b/version.h
@@ -1,15 +1,15 @@
 #define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2012-06-29"
+#define RUBY_RELEASE_DATE "2012-10-12"
 #define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20120629
-#define RUBY_PATCHLEVEL 370
+#define RUBY_RELEASE_CODE 20121012
+#define RUBY_PATCHLEVEL 371
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
 #define RUBY_VERSION_TEENY 7
 #define RUBY_RELEASE_YEAR 2012
-#define RUBY_RELEASE_MONTH 6
-#define RUBY_RELEASE_DAY 29
+#define RUBY_RELEASE_MONTH 10
+#define RUBY_RELEASE_DAY 12
 
 #ifdef RUBY_EXTERN
 RUBY_EXTERN const char ruby_version[];

Original file line number	Diff line number	Diff line change
`@@ -665,9 +665,6 @@ name_err_to_s(exc)`
`665`	`665`
`666`	`666`	`if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));`
`667`	`667`	`StringValue(str);`
`668`		`- if (str != mesg) {`
`669`		`- OBJ_INFECT(str, mesg);`
`670`		`- }`
`671`	`668`	`return str;`
`672`	`669`	`}`
`673`	`670`