Forum: Ruby-dev dl when $SAFE = 1

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F18cd563af60e7f0ff66f25c66a55c5f?d=identicon&s=25 sheepman (Guest)
on 2007-03-18 05:03
(Received via mailing list)
こんにちは、sheepman です。

$SAFE=1のときの dl ライブラリの振る舞いに関してです。

require 'dl'
$SAFE = 1
h = DL.dlopen(nil)
sys = h.sym('system', 'IP')
uname = 'uname -rs'.taint
sys[uname]

という感じで、汚染されている文字列を引数として system 
を呼べてしまいます。
というわけで、パッチを書いてみました。

DL.dlopen の引数も SafeStringValue 
でチェックするようにしました。

dl のコードを読むと、String#to_ptr 
はもとの文字列が汚染されていなくても、常に汚染された
PtrData を返すので、 PtrData.new 
も常に汚染されたオブジェクトを返すようにしています。

このパッチは後方互換がないので、検討が必要だと思います。
4d6c1ba19a3d46b45a1fd9ad2e622620?d=identicon&s=25 Takaaki Tateishi (Guest)
on 2007-03-18 20:00
(Received via mailing list)
sheepman wrote:
> $B$H$$$&46$8$G!"1x@w$5$l$F$$$kJ8;zNs$r0z?t$H$7$F(B system $B$r8F$Y$F$7$^$$$^$9!#(B
> $B$H$$$&$o$1$G!"%Q%C%A$r=q$$$F$_$^$7$?!#(B

$B$^$:;O$a$K!"0JA0$N;d$N9M$($H$7$F$O!"(Bsystem$B$r8F$S=P$9(Bruby$B$N%i%$%V%i%jB&$G$N(B
$B%A%'%C%/$,K>$^$7$$$H;W$C$F$$$^$7$?!#(Bdl$B$O!"3HD%%i%$%V%i%j$r=q$/Be$o$j$K(Bruby
$B$G(BAPI$B$X%"%/%;%9$9$k$3$H$r9M$($F:n$C$?$b$N$G$9$N$G!"$=$N(BAPI$B$X%"%/%;%9$9$k(B
ruby$B$N%W%m%0%i%`$d%i%$%V%i%j$,(BSAFE$B$N%A%'%C%/$r$9$k$N$,NI$$$N$G$O$J$$$+$H9M(B
$B$($F$$$^$7$?!#(B

$B$7$+$7!"(Bdl$B$OFC<l$J3HD%%i%$%V%i%j$G$9$7!"(Bdl$B$r4m$J$$%W%m%0%i%`$G$O30ItF~NO$K(B
$B0MB8$9$k$h$&$K$O;H$o$J$$$H$$$&9M$($N2<$G$O!"$"$i$f$kA`:n$r6X;_$9$k$H$$$&$N(B
$B$bF10U$G$-$^$9!#(B

$B$5$F!"(Bsystem$B$NNc$G$9$,!"(Bsystem$B$N8F$S=P$7$=$N$b$N$O(Btaint$B%A%'%C%/$NBP>]$G$9!#(B
$B4m$J$$4X?t$,;H$o$l$k>l9g$K$O%A%'%C%/$,$+$+$k$O$:$G!"$=$N$H$-$K$OF1;~$K0z?t(B
$B$N%A%'%C%/$b9T$($PNI$$$H9M$($k$3$H$b$G$-$k$H;W$$$^$9!#(B

dlopen$B$K$D$$$F$O(Bdlopen$B$K$h$C$F2?$,4m81$K$J$k$N$+$N5DO@$,I,MW$@$H;W$$$^$9!#(B

$B0J>e$N$3$H$+$i!"(Bsystem$B$H(Bdlopen$B$N7o$O$I$l$,E,@Z$J$N$+;d$K$OH=CG$G$-$^$;$s!#(B

malloc$B$K$h$C$FF@$?%*%V%8%'%/%H$,(Btainted$B$G$"$k$Y$-$+$I$&$+$K$D$$$F$O!"$9$Y$F(B
$BDj?t$+$i9=@.$5$l$?%*%V%8%'%/%H$b4m81$@$H$9$Y$-$J$N$+$H5?Ld$,$"$j$^$9!#(B
$B$=$N8e$NCf?H$NJQ99$G(Btainted$B$K$7$J$1$l$P$J$i$J$$>l9g$,$"$j$=$&$J$3$H$OA[A|$G(B
$B$-$^$9$,!"(Ballocate$B$NCf$G(Btainted$B$K$9$kM}M3$O$I$3$K$"$k$N$G$7$g$&$+!)(B
F18cd563af60e7f0ff66f25c66a55c5f?d=identicon&s=25 sheepman (Guest)
on 2007-03-19 00:43
(Received via mailing list)
$B$3$s$K$A$O!"(Bsheepman $B$G$9!#(B


On Mon, 19 Mar 2007 03:59:37 +0900
Takaaki Tateishi <ttate@ttsky.net> wrote:

>  dlopen$B$K$D$$$F$O(Bdlopen$B$K$h$C$F2?$,4m81$K$J$k$N$+$N5DO@$,I,MW$@$H;W$$$^$9!#(B
>
> 
$B0J>e$N$3$H$+$i!"(Bsystem$B$H(Bdlopen$B$N7o$O$I$l$,E,@Z$J$N$+;d$K$OH=CG$G$-$^$;$s!#(B

$B!V3HD%%i%$%V%i%j$,Ds6!$9$Y$-%;%-%e%j%F%#$O2?$+!W$J$I$r9M$($k$HE%>B$K%O%^$C$F(B
$BEz$,=P$J$$$N$G!"(Bruby $BK\BN$,$d$C$F$$$k$3$H(B
http://www.ruby-lang.org/ja/man/index.cgi?cmd=view...
$B$K9g$o$;$k$3$H$,!"3+H/<T$K$H$C$F$b%f!<%6$K$H$C$F$bJ,$+$j$d$9$$$s$8$c$J$$$+$J$H!"(B
$BKM$O;W$$$^$9!#(B


>
> malloc$B$K$h$C$FF@$?%*%V%8%'%/%H$,(Btainted$B$G$"$k$Y$-$+$I$&$+$K$D$$$F$O!"$9$Y$F(B
> $BDj?t$+$i9=@.$5$l$?%*%V%8%'%/%H$b4m81$@$H$9$Y$-$J$N$+$H5?Ld$,$"$j$^$9!#(B
> $B$=$N8e$NCf?H$NJQ99$G(Btainted$B$K$7$J$1$l$P$J$i$J$$>l9g$,$"$j$=$&$J$3$H$OA[A|$G(B
> $B$-$^$9$,!"(Ballocate$B$NCf$G(Btainted$B$K$9$kM}M3$O$I$3$K$"$k$N$G$7$g$&$+!)(B
>

$BN)@P$5$s$,=q$+$l$?%3!<%I$+$iN)@P$5$s$N0U?^$r?dB,$7$?7k2L$G$9!#(B
$B$=$l0J30$NM}M3$O$"$j$^$;$s!#(B

String#to_ptr $B$H(B Array#to_ptr
$B$,%;!<%U%l%Y%k$K$h$i$:!"$^$?JQ49A0$N(B
$BJ8;zNs$dG[Ns$,1x@w$5$l$F$$$k$+$I$&$+$K0MB8$;$:!">o$K1x@w$5$l$?(B
PtrData $B$r(B
$BJV$7$F$$$?$N$G!"(BPtrData.new
$B$b$=$l$i$K9g$o$;$F>o$K1x@w$5$l$?%*%V%8%'%/%H$r(B
$BJV$7$?J}$,$$$$$N$+$J$"$H$$$&!"7Z$$5$;}$A$G$9!#(B
This topic is locked and can not be replied to.