Before anything else: This bug is marked as "grave", because it
"renders package unusable". Dmitry, I'd downgrade the bug's severity,
as the package is perfectly usable as long as you don't raise
$SAFE. Of course, it _is_ a bug, and it _should_ be fixed, but I don't
see it as grave.
Umh... I'm trying to tackle this, but am still at loss - Anyway, I
think sharing this might help towards finding the solution. First of
all, look what $SAFE and SecurityError means [1].
I am starting with this minimal invocation as a test case:
$ ruby -e '$:.unshift("./lib"); $SAFE=1;require"tidy"; html="";
xml=Tidy.open{|t| t.clean(html)}'
My first guess was, of course, that the set_error_buffer (which is an
"extern" definition - it calls the tidySetErrorBuffer library
function) was getting a tainted parameter. This confirmed it:
--- a/lib/tidy/tidyobj.rb
+++ b/lib/tidy/tidyobj.rb
@@ -28,6 +28,7 @@ class Tidyobj
@errbuf = Tidybuf.new
@outbuf = Tidybuf.new
@options = Tidyopt.new(@doc)
+ warn "*** Doc: [EMAIL PROTECTED] Errbuf: [EMAIL PROTECTED] Struct: [EMAIL
PROTECTED]"
rc = Tidylib.set_error_buffer(@doc, @errbuf.struct)
verify_severe(rc)
unless options.nil?
I got this line just before the SecurityError exception is raised:
*** Doc: true Errbuf: false Struct: false
Now, on to untaint the TidyLib C object:
--- a/lib/tidy/tidylib.rb
+++ b/lib/tidy/tidylib.rb
@@ -38,7 +38,9 @@ module Tidylib
# tidyCreate
#
def create
- tidyCreate
+ lib = tidyCreate
+ lib.untaint
+ lib
end
# tidyCleanAndRepair
However, this still fails. My debugging line _does_ change, it is now:
*** Doc: false Errbuf: false Struct: false
Still, it fails just after it, in the set_error_buffer function, whose
body is exactly:
def set_error_buffer(doc, buf
tidySetErrorBuffer(doc, buf)
end
I get the same behaviour. Still, I'm a lazy and sloppy programmer, so
I added a couple extra warnings as debugging aids:
--- a/lib/tidy/tidylib.rb
+++ b/lib/tidy/tidylib.rb
@@ -99,7 +101,9 @@ module Tidylib
# tidySetErrorBuffer
#
def set_error_buffer(doc, buf)
+ warn "*** Getting #{doc.class}: #{doc.tainted?}, #{buf.class},
#{buf.tainted?}"
tidySetErrorBuffer(doc, buf)
+ warn "...still alive"
end
# Convert to string, replace underscores with dashes (:output_xml =>
'output-xml').
Still, it continues dying:
$ ruby -e '$:.unshift("./lib"); $SAFE=1;require"tidy"; html="";
xml=Tidy.open{|t| t.clean(html)}'
*** Doc: false Errbuf: false Struct: false
*** Getting DL::PtrData: false, DL::Importable::Internal::Memory, false
(eval):5:in `call': Insecure operation - call (SecurityError)
from (eval):5:in `tidySetErrorBuffer'
from ./lib/tidy/tidylib.rb:105:in `set_error_buffer'
from ./lib/tidy/tidyobj.rb:32:in `initialize'
from ./lib/tidy.rb:36:in `new'
from ./lib/tidy.rb:36:in `new'
from ./lib/tidy.rb:56:in `open'
from -e:1
As you can see in my previous patch, nothing besides doc and buf is
invoked here.
Now, buf comes from Tidybuf, which is also C-based
(DL::Importable::Internal::Memory). And... This is where I am stuck: I
can untaint Tidybuf as an object, but not its contents or
results. And, being it a buffer, it _does_ make sense that the data it
generates is considered tainted.
...So, I cannot dig any further :-/ But I hope this information can
help someone else.
Greetings,
[1] http://www.rubycentral.com/pickaxe/taint.html
--
Gunnar Wolf - [EMAIL PROTECTED] - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
