diff --git a/ChangeLog b/ChangeLog index 177ff95c8b..ecff5aff99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +Thu Dec 14 22:52:11 2017 Shugo Maeda + + Fix a command injection vulnerability in Net::FTP. + Thu Dec 14 22:49:08 2017 SHIBATA Hiroshi Merge rubygems-2.6.14 changes. diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb index c9b80c6804..79edb80864 100644 --- a/lib/net/ftp.rb +++ b/lib/net/ftp.rb @@ -606,10 +606,10 @@ module Net if localfile if @resume rest_offset = File.size?(localfile) - f = open(localfile, "a") + f = File.open(localfile, "a") else rest_offset = nil - f = open(localfile, "w") + f = File.open(localfile, "w") end elsif !block_given? result = "" @@ -637,7 +637,7 @@ module Net def gettextfile(remotefile, localfile = File.basename(remotefile)) # :yield: line result = nil if localfile - f = open(localfile, "w") + f = File.open(localfile, "w") elsif !block_given? result = "" end @@ -683,7 +683,7 @@ module Net else rest_offset = nil end - f = open(localfile) + f = File.open(localfile) begin f.binmode if rest_offset @@ -702,7 +702,7 @@ module Net # passing in the transmitted data one line at a time. # def puttextfile(localfile, remotefile = File.basename(localfile), &block) # :yield: line - f = open(localfile) + f = File.open(localfile) begin storlines("STOR " + remotefile, f, &block) ensure diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb index cb311695d0..91a6002c5c 100644 --- a/test/net/ftp/test_ftp.rb +++ b/test/net/ftp/test_ftp.rb @@ -2,6 +2,7 @@ require "net/ftp" require "test/unit" require "ostruct" require "stringio" +require "tmpdir" class FTPTest < Test::Unit::TestCase SERVER_ADDR = "127.0.0.1" @@ -825,6 +826,227 @@ class FTPTest < Test::Unit::TestCase end end + def test_getbinaryfile_command_injection + skip "| is not allowed in filename on Windows" if windows? + [false, true].each do |resume| + commands = [] + binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 + server = create_ftp_server { |sock| + sock.print("220 (test_ftp).\r\n") + commands.push(sock.gets) + sock.print("331 Please specify the password.\r\n") + commands.push(sock.gets) + sock.print("230 Login successful.\r\n") + commands.push(sock.gets) + sock.print("200 Switching to Binary mode.\r\n") + line = sock.gets + commands.push(line) + host, port = process_port_or_eprt(sock, line) + commands.push(sock.gets) + sock.print("150 Opening BINARY mode data connection for |echo hello (#{binary_data.size} bytes)\r\n") + conn = TCPSocket.new(host, port) + binary_data.scan(/.{1,1024}/nm) do |s| + conn.print(s) + end + conn.shutdown(Socket::SHUT_WR) + conn.read + conn.close + sock.print("226 Transfer complete.\r\n") + } + begin + chdir_to_tmpdir do + begin + ftp = Net::FTP.new + ftp.resume = resume + ftp.read_timeout = 0.2 + ftp.connect(SERVER_ADDR, server.port) + ftp.login + assert_match(/\AUSER /, commands.shift) + assert_match(/\APASS /, commands.shift) + assert_equal("TYPE I\r\n", commands.shift) + ftp.getbinaryfile("|echo hello") + assert_equal(binary_data, File.binread("./|echo hello")) + assert_match(/\A(PORT|EPRT) /, commands.shift) + assert_equal("RETR |echo hello\r\n", commands.shift) + assert_equal(nil, commands.shift) + ensure + ftp.close if ftp + end + end + ensure + server.close + end + end + end + + def test_gettextfile_command_injection + skip "| is not allowed in filename on Windows" if windows? + commands = [] + text_data = <