backport 80b5a0ff2a partially as a
securify fix for CVE-2020-10663. The patch was provided by Jeremy Evans.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67873 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
`FileTest.send(command, ...)` allows to call not only FileTest-related
methods but also any method that belongs to Kernel, Object, etc.
patched by <mame@ruby-lang.org>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67820 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
WEBrick: prevent response splitting and header injection
This is a follow up to d9d4a28.
The commit prevented CRLR, but did not address an isolated CR or an
isolated LF.
Co-Authored-By: NARUSE, Yui <naruse@airemix.jp>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67819 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Loop with String#scan without creating substrings
Create the substrings necessary parts only, instead of cutting the
rest of the buffer. Also removed a useless, probable typo, regexp.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67818 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Fix for wrong fnmatch patttern
* dir.c (file_s_fnmatch): ensure that pattern does not contain a
NUL character. https://hackerone.com/reports/449617
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67817 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
io.c: chomp CR at the end of read buffer
* io.c (rb_io_getline_fast): chomp CR followed by LF but separated
by the read buffer boundary. [ruby-core:91707] [Bug #15642]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67391 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
tmpdir.rb: permission of user given directory
* lib/tmpdir.rb (Dir.mktmpdir): check if the permission of the
parent directory only when using the default temporary
directory, and no check against user given directory. the
security is the user's responsibility in that case.
[ruby-core:91216] [Bug #15555]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67148 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
parse.y: unindent continued line
* parse.y (tokadd_string): stop at continued line in dedented here
documents, to dedent for each lines before removing escaped
newlines. [ruby-core:86236] [Bug #14621]
parse.y: terminator at continued line
* parse.y (here_document): a continuing line is not the
terminator. [ruby-core:86283] [Bug #14621]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67147 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
cont.c: set th->root_fiber to current fiber at fork
Otherwise, th->root_fiber can point to an invalid Fiber,
because Fibers do not live across fork. So consider
whatever Fiber is running the root fiber.
[ruby-core:88723] [Bug #15041]
cont.c (rb_fiber_atfork): th->root_fiber may not exist
Otherwise, bootstraptest/test_fork.rb fails with -DVM_CHECK_MODE=2
[Bug #15041]
Fixes: r64589 "cont.c: set th->root_fiber to current fiber at fork"
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@66968 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Normalize month-mday before finding epoch
Especially over the year 2038, 30 Feb and so on may cause odd behavior
on validating found epoch with given year-month-day [Bug #15340]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@66967 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Mark array as "going to be modified" in `Array#reject!`
Before this patch, if `reject!` is called on a shared array it can
mutate the shared array rather than a copy. This patch marks the array
as "going to be modified" so that the shared source array isn't
mutated.
[Bug #15479] [ruby-core:90781]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@66966 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
io.c (io_write_nonblock): add RB_GC_GUARD, io_fflush may switch threads
Since io_fflush may block on mutex or rb_io_wait_readable and
switch threads, we need to ensure the `str' VALUE returned by
`rb_obj_as_string` is visible to GC.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@66965 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Move autoload to toplevel
So that classes which uses Net::HTTP with https can use OpenSSL
namespace for example exception classes like OpenSSL::SSL::SSLError.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@66964 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
infect taint flag on Array#pack and String#unpack
with the directives "B", "b", "H" and "h".
* pack.c (pack_pack, pack_unpack_internal): infect taint flag.
* test/ruby/test_pack.rb: add test for above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@65129 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Fix Kernel#singleton_method with Module#Prepend
* proc.c (rb_obj_singleton_method): search the method entry from
the origin class, for fix prepended modules. [Bug #14658]
From: Vasiliy Ermolovich <younash@gmail.com>
proc.c: fix segfault when no singleton class
* proc.c (rb_obj_singleton_method): bail out if the receiver does
not have the singleton class without accessing the origin class
not to segfault. [Bug #14658]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@65118 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Use opt_{aref,aset} over opt_{aref,aset}_with
* compile.c (iseq_compile_each0): Use `opt_aref`/`opt_aset` over
`opt_aref_with`/`opt_aset_with` when frozen_string_literal: true,
not to resurrect the index string on non-Hash receiver.
[Fix GH-1957]
From: chopraanmol1 <chopraanmol1@gmail.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@65116 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
thread_sync.c (rb_mutex_lock): fix deadlock
* thread_sync.c (rb_mutex_lock): fix deadlock
[ruby-core:87467] [Bug #14841]
thread_sync.c (rb_mutex_lock): acquire lock before being killed
We (the thread acquiring the mutex) need to acquire the mutex
before being killed to work with ConditionVariable#wait.
Thus we reinstate the acquire-immediately-after-sleeping logic
from pre-r63711 while still retaining the
acquire-after-checking-for-interrupts logic from r63711.
This regression was introduced in
commit 501069b8a4 (r63711)
("thread_sync.c (rb_mutex_lock): fix deadlock") for
[Bug #14841]
[ruby-core:88503] [Bug #14999] [Bug #14841]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@65115 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Just a shebang is valid code
[ruby-core:89240] [Bug #15190]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@65113 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
configure.in: install_name without teeny
* configure.in (RUBY_API_VERSION): remove teeny from install_name
to allow link extension libraries for the same minor version.
patched by kimuraw (Wataru Kimura) at [ruby-dev:50262].
[Bug #13931]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@65112 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Support ubasecrt.dll 10.0.17763.1 included in Windows 10 October 2018 Update
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@65110 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
win32.c: limit write size on console
* win32/win32.c (constat_parse): split long buffer and limit write
size on a console, as well as rb_w32_write.
[ruby-dev:50597] [Bug #14942]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@64564 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ruby.c: taint ARGV on Windows
* ruby.c (external_str_new_cstr): strings come from the external
should be tainted. [ruby-dev:50596] [Bug #14941]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@64563 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
thread.c (do_select): fix leak on exception
When do_select is interrupted and raise happens from
RUBY_VM_CHECK_INTS_BLOCKING, the original FD sets we copied
do not get freed, leading to a memory leak. Wrap up all the
FD sets into a Ruby object to ensure the GC can release an
allocations made for rb_fdset_t.
This leak existed since Ruby 2.0.0 (r36430)
[Bug #14929]
increase timeout seconds.
* test/ruby/test_io.rb (test_select_leak): increase timeout seconds
to pass this test on a high-load machine.
60 sec is not enough at all
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@64561 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
variable.c: fix receiver on private constant
* variable.c (rb_const_search): fix NameError :receiver attribute
on private constant, should raise with the included module, not
the ICLASS.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@64559 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
