52 lines
1.7 KiB
Diff
52 lines
1.7 KiB
Diff
commit fe3c49c9baeeab58304ede915b7edd18ecf360fc
|
|
Author: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
|
Date: Sat Jul 3 17:10:28 2021 +0000
|
|
|
|
merge revision(s) b1c73f23,c9ab8fe2: [Backport #17877]
|
|
|
|
[ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799
|
|
|
|
https://github.com/ruby/rdoc/commit/a7f5d6ab88
|
|
|
|
The test for command injection on Unix platforms should be omitted on Windows
|
|
|
|
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67947 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
|
|
index ca2c1abefd..46aace7839 100644
|
|
--- a/lib/rdoc/rdoc.rb
|
|
+++ b/lib/rdoc/rdoc.rb
|
|
@@ -436,7 +436,7 @@ def remove_unparseable files
|
|
files.reject do |file|
|
|
file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
|
|
(file =~ /tags$/i and
|
|
- open(file, 'rb') { |io|
|
|
+ File.open(file, 'rb') { |io|
|
|
io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
|
|
})
|
|
end
|
|
diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
|
|
index 3bce54b243..123b1a4f87 100644
|
|
--- a/test/rdoc/test_rdoc_rdoc.rb
|
|
+++ b/test/rdoc/test_rdoc_rdoc.rb
|
|
@@ -366,6 +366,18 @@ def test_remove_unparseable_tags_vim
|
|
end
|
|
end
|
|
|
|
+ def test_remove_unparseable_CVE_2021_31799
|
|
+ skip 'for Un*x platforms' if Gem.win_platform?
|
|
+ temp_dir do
|
|
+ file_list = ['| touch evil.txt && echo tags']
|
|
+ file_list.each do |f|
|
|
+ FileUtils.touch f
|
|
+ end
|
|
+ assert_equal file_list, @rdoc.remove_unparseable(file_list)
|
|
+ assert_equal file_list, Dir.children('.')
|
|
+ end
|
|
+ end
|
|
+
|
|
def test_setup_output_dir
|
|
Dir.mktmpdir {|d|
|
|
path = File.join d, 'testdir'
|