dl taint fixes in Ruby 1.8.7-p72 broke Ruby/Tidy

D

Dmitry Borodaenko

Greetings,

Since Ruby 1.8.7-p72, I get the following error when using Ruby/Tidy:

SecurityError: Insecure operation - call

Backtrace:
(eval):5:in `call'
(eval):5:in `tidySetErrorBuffer'
/usr/lib/ruby/1.8/tidy/tidylib.rb:102:in `set_error_buffer'
/usr/lib/ruby/1.8/tidy/tidyobj.rb:31:in `initialize'
/usr/lib/ruby/1.8/tidy.rb:36:in `new'
/usr/lib/ruby/1.8/tidy.rb:36:in `new'
/usr/lib/ruby/1.8/tidy.rb:56:in `open'
/usr/lib/ruby/1.8/samizdat/sanitize.rb:106:in `tidy'

The code that calls tidy is as follows:

def tidy(html)
xml = Tidy.open:)output_xhtml => true, :literal_attributes => true,
:tidy_mark => false, :wrap => 0, :char_encoding => 'utf8'
) {|tidy| tidy.clean(html.to_s.untaint) }

xml.taint
end

Is it Ruby/Tidy that is doing something wrong, or is the security fix
in Ruby 1.8.7-p72 (SVN r17872 [0] would be prime suspect) getting
over-zealous?

[0] http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17872

Here are the relevant (or so I think) bits of Ruby/Tidy code:

class Tidyobj
# . . .
def initialize(options=nil)
@diagnostics = Array.new
@Doc = Tidylib.create
@errors = Array.new
@errbuf = Tidybuf.new
@outbuf = Tidybuf.new
@options = Tidyopt.new(@Doc)
rc = Tidylib.set_error_buffer(@Doc, @errbuf.struct)
verify_severe(rc)
unless options.nil?
options.each { |name, value| Tidylib.opt_parse_value(@Doc, name, value) }
end
end
# . . .
end

class Tidybuf
extend DL::Importable

attr_reader:)struct)

TidyBuffer = struct [
"TidyAllocator* allocator",
"byte* bp",
"uint size",
"uint allocated",
"uint next"
]

def initialize
@struct = TidyBuffer.malloc
end
# . . .
end
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,968
Messages
2,570,149
Members
46,695
Latest member
StanleyDri

Latest Threads

Top