From 76a1bdfa29469576112a41b78a132b785616a3f9 Mon Sep 17 00:00:00 2001
From: Clayton Smith <clayton.smith@shopify.com>
Date: Wed, 16 Nov 2016 10:10:14 -0500
Subject: Get String length after args in String#chomp!

Fixes RCE issue
Reported by @bouk
---
 test/t/string.rb | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/t/string.rb b/test/t/string.rb
index e67389b5c..80fcbe6fa 100644
--- a/test/t/string.rb
+++ b/test/t/string.rb
@@ -251,6 +251,19 @@ assert('String#chomp!', '15.2.10.5.10') do
   assert_equal 'abc', e
 end
 
+assert('String#chomp! uses the correct length') do
+  class A
+    def to_str
+      $s.replace("AA")
+      "A"
+    end
+  end
+
+  $s = "AAA"
+  $s.chomp!(A.new)
+  assert_equal $s, "A"
+end
+
 assert('String#chop', '15.2.10.5.11') do
   a = ''.chop
   b = 'abc'.chop
@@ -683,4 +696,3 @@ assert('String#freeze') do
 
   assert_raise(RuntimeError) { str.upcase! }
 end
-
-- 
cgit v1.2.3