diff options
author | Jeremy Evans <code@jeremyevans.net> | 2019-09-20 19:06:22 -0700 |
---|---|---|
committer | Jeremy Evans <code@jeremyevans.net> | 2019-11-18 01:00:25 +0200 |
commit | c5c05460ac20abcbc0ed686eb4acf06da7a39a79 (patch) | |
tree | 991109a68f3b1cd2e256a936701d3b2badd3ddac /ruby.c | |
parent | 7b6a8b5b54448235e17ed187d9d73f56893e1b6f (diff) | |
download | bundler-c5c05460ac20abcbc0ed686eb4acf06da7a39a79.tar.gz |
Warn on access/modify of $SAFE, and remove effects of modifying $SAFE
This removes the security features added by $SAFE = 1, and warns for access
or modification of $SAFE from Ruby-level, as well as warning when calling
all public C functions related to $SAFE.
This modifies some internal functions that took a safe level argument
to no longer take the argument.
rb_require_safe now warns, rb_require_string has been added as a
version that takes a VALUE and does not warn.
One public C function that still takes a safe level argument and that
this doesn't warn for is rb_eval_cmd. We may want to consider
adding an alternative method that does not take a safe level argument,
and warn for rb_eval_cmd.
Diffstat (limited to 'ruby.c')
-rw-r--r-- | ruby.c | 56 |
1 files changed, 19 insertions, 37 deletions
@@ -162,7 +162,6 @@ struct ruby_cmdline_options { #if USE_MJIT struct mjit_options mjit; #endif - int safe_level; int sflag, xflag; unsigned int warning: 1; unsigned int verbose: 1; @@ -264,7 +263,6 @@ usage(const char *name, int help) M("-rlibrary", "", "require the library before executing your script"), M("-s", "", "enable some switch parsing for switches after script name"), M("-S", "", "look for the script using PATH environment variable"), - M("-T[level=1]", "", "turn on tainting checks"), M("-v", "", "print the version number, then turn on verbose mode"), M("-w", "", "turn warnings on for your script"), M("-W[level=2]", "", "set warning level; 0=silence, 1=medium, 2=verbose"), @@ -490,13 +488,7 @@ str_conv_enc(VALUE str, rb_encoding *from, rb_encoding *to) # define str_conv_enc(str, from, to) (str) #endif -void ruby_init_loadpath_safe(int safe_level); - -void -ruby_init_loadpath(void) -{ - ruby_init_loadpath_safe(0); -} +void ruby_init_loadpath(void); #if defined(LOAD_RELATIVE) static VALUE @@ -576,7 +568,7 @@ runtime_libruby_path(void) VALUE ruby_archlibdir_path, ruby_prefix_path; void -ruby_init_loadpath_safe(int safe_level) +ruby_init_loadpath(void) { VALUE load_path, archlibdir = 0; ID id_initial_load_path_mark; @@ -659,9 +651,7 @@ ruby_init_loadpath_safe(int safe_level) load_path = GET_VM()->load_path; - if (safe_level == 0) { - ruby_push_include(getenv("RUBYLIB"), identical_path); - } + ruby_push_include(getenv("RUBYLIB"), identical_path); id_initial_load_path_mark = INITIAL_LOAD_PATH_MARK; while (*paths) { @@ -1225,18 +1215,18 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt) goto reswitch; case 'T': - { - size_t numlen; - int v = 1; - - if (*++s) { - v = scan_oct(s, 2, &numlen); - if (numlen == 0) - v = 1; - s += numlen; - } - if (v > opt->safe_level) opt->safe_level = v; - } + { + size_t numlen; + int v = 1; + + if (*++s) { + v = scan_oct(s, 2, &numlen); + if (numlen == 0) + v = 1; + s += numlen; + } + } + rb_warn("ruby -T will be removed in Ruby 3.0"); goto reswitch; case 'I': @@ -1576,8 +1566,7 @@ process_options(int argc, char **argv, ruby_cmdline_options_t *opt) argc -= i; argv += i; - if ((opt->features.set & FEATURE_BIT(rubyopt)) && - opt->safe_level == 0 && (s = getenv("RUBYOPT"))) { + if ((opt->features.set & FEATURE_BIT(rubyopt)) && (s = getenv("RUBYOPT"))) { VALUE src_enc_name = opt->src.enc.name; VALUE ext_enc_name = opt->ext.enc.name; VALUE int_enc_name = opt->intern.enc.name; @@ -1655,12 +1644,12 @@ process_options(int argc, char **argv, ruby_cmdline_options_t *opt) translit_char(RSTRING_PTR(opt->script_name), '\\', '/'); #endif - ruby_gc_set_params(opt->safe_level); - ruby_init_loadpath_safe(opt->safe_level); + ruby_gc_set_params(); + ruby_init_loadpath(); #if USE_MJIT if (opt->mjit.on) - /* Using TMP_RUBY_PREFIX created by ruby_init_loadpath_safe(). */ + /* Using TMP_RUBY_PREFIX created by ruby_init_loadpath(). */ mjit_init(&opt->mjit); #endif @@ -1884,8 +1873,6 @@ process_options(int argc, char **argv, ruby_cmdline_options_t *opt) rb_gc_register_mark_object(opt->e_script); } - rb_set_safe_level(opt->safe_level); - { rb_execution_context_t *ec = GET_EC(); @@ -2282,9 +2269,6 @@ init_ids(ruby_cmdline_options_t *opt) if (uid != euid) opt->setids |= 1; if (egid != gid) opt->setids |= 2; - if (uid && opt->setids) { - if (opt->safe_level < 1) opt->safe_level = 1; - } } #undef forbid_setid @@ -2295,8 +2279,6 @@ forbid_setid(const char *s, const ruby_cmdline_options_t *opt) rb_raise(rb_eSecurityError, "no %s allowed while running setuid", s); if (opt->setids & 2) rb_raise(rb_eSecurityError, "no %s allowed while running setgid", s); - if (opt->safe_level > 0) - rb_raise(rb_eSecurityError, "no %s allowed in tainted mode", s); } static void |