Issue #14485 has been updated by jeremyevans0 (Jeremy Evans).

File file-path-taint.patch added

I agree that `File#path` should not be tainted unless the path given was tainted.  Attached is a patch that fixes the issue

The code to always taint the result was added in commit:a4934a42cbb84b6679912226581c71b435671f55 in 2003 by matz.  However, the change wasn't mentioned in the commit message, and it may have been committed by accident.


----------------------------------------
Bug #14485: For File#path.tainted? and File#to_path.tainted? should match original.tainted?
https://bugs.ruby-lang.org/issues/14485#change-78753

* Author: tscheingeld (Terry Scheingeld)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
Problem: if you create a File object using an untainted path, File#path and File#to_path return identical strings except they are tainted. That's counter-intuitive. If the input path has been properly vetted then File should not taint it.

Here's a simple example which produces a security violation:

    #!/usr/bin/ruby -w
    $SAFE = 1
    path = './myfile.txt'
    file = File.open(path, 'r')
    File.exist?(file.path)

which gives us this error:

    ./to-path.rb:5:in `exist?': Insecure operation - exist? (SecurityError)
      from ./to-path.rb:5:in `<main>'

In this example, path isn't tainted because it was created in the program. However, file.path, which is an identical string (i.e. not normalized) is tainted.

This issue became a problem in rack/lint. (Not sure how to tell which version.) Lint tries to do some optimizing, but crashes in these lines:

    if @body.respond_to?(:to_path)
      assert("The file identified by body.to_path does not exist") {
        ::File.exist? @body.to_path
      }
    end


---Files--------------------------------
file-path-taint.patch (1.9 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>