diff options
| author | Clayton Smith <[email protected]> | 2016-11-16 10:10:14 -0500 |
|---|---|---|
| committer | Bouke van der Bijl <[email protected]> | 2016-11-24 10:28:21 -0500 |
| commit | 76a1bdfa29469576112a41b78a132b785616a3f9 (patch) | |
| tree | fdf9640beb809b32c6517f7a034e281e0bea1f93 | |
| parent | a630c4f413f6af764e68210430e8b61a435d38d7 (diff) | |
| download | mruby-76a1bdfa29469576112a41b78a132b785616a3f9.tar.gz mruby-76a1bdfa29469576112a41b78a132b785616a3f9.zip | |
Get String length after args in String#chomp!
Fixes RCE issue
Reported by @bouk
| -rw-r--r-- | src/string.c | 4 | ||||
| -rw-r--r-- | test/t/string.rb | 14 |
2 files changed, 16 insertions, 2 deletions
diff --git a/src/string.c b/src/string.c index 5e490bf03..f47294291 100644 --- a/src/string.c +++ b/src/string.c @@ -1235,11 +1235,13 @@ mrb_str_chomp_bang(mrb_state *mrb, mrb_value str) char *p, *pp; mrb_int rslen; mrb_int len; + mrb_int argc; struct RString *s = mrb_str_ptr(str); mrb_str_modify(mrb, s); + argc = mrb_get_args(mrb, "|S", &rs); len = RSTR_LEN(s); - if (mrb_get_args(mrb, "|S", &rs) == 0) { + if (argc == 0) { if (len == 0) return mrb_nil_value(); smart_chomp: if (RSTR_PTR(s)[len-1] == '\n') { diff --git a/test/t/string.rb b/test/t/string.rb index e67389b5c..80fcbe6fa 100644 --- a/test/t/string.rb +++ b/test/t/string.rb @@ -251,6 +251,19 @@ assert('String#chomp!', '15.2.10.5.10') do assert_equal 'abc', e end +assert('String#chomp! uses the correct length') do + class A + def to_str + $s.replace("AA") + "A" + end + end + + $s = "AAA" + $s.chomp!(A.new) + assert_equal $s, "A" +end + assert('String#chop', '15.2.10.5.11') do a = ''.chop b = 'abc'.chop @@ -683,4 +696,3 @@ assert('String#freeze') do assert_raise(RuntimeError) { str.upcase! } end - |