Issue #14485 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Closed to Open

I had to revert my patch for this because it failed on a lot of operating systems.  There must be cases where the file path is tainted on those systems other than the one place where I removed `rb_obj_taint`.  Either that, or the new test I wrote for this (which is the only failure), is flawed and needs to be fixed.

----------------------------------------
Bug #14485: For File#path.tainted? and File#to_path.tainted? should match original.tainted?
https://bugs.ruby-lang.org/issues/14485#change-80203

* Author: tscheingeld (Terry Scheingeld)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
Problem: if you create a File object using an untainted path, File#path and File#to_path return identical strings except they are tainted. That's counter-intuitive. If the input path has been properly vetted then File should not taint it.

Here's a simple example which produces a security violation:

    #!/usr/bin/ruby -w
    $SAFE = 1
    path = './myfile.txt'
    file = File.open(path, 'r')
    File.exist?(file.path)

which gives us this error:

    ./to-path.rb:5:in `exist?': Insecure operation - exist? (SecurityError)
      from ./to-path.rb:5:in `<main>'

In this example, path isn't tainted because it was created in the program. However, file.path, which is an identical string (i.e. not normalized) is tainted.

This issue became a problem in rack/lint. (Not sure how to tell which version.) Lint tries to do some optimizing, but crashes in these lines:

    if @body.respond_to?(:to_path)
      assert("The file identified by body.to_path does not exist") {
        ::File.exist? @body.to_path
      }
    end


---Files--------------------------------
file-path-taint.patch (1.9 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>