ruby/backport-CVE-2021-31799.patch

From a7f5d6ab88632b3b482fe10611382ff73d14eed7 Mon Sep 17 00:00:00 2001
From: aycabta <aycabta@gmail.com>
Date: Sun, 2 May 2021 20:52:23 +0900
Subject: [PATCH] Use File.open to fix the OS Command Injection vulnerability
 in CVE-2021-31799

Reference:https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7
---
 lib/rdoc/rdoc.rb            |  2 +-
 test/rdoc/test_rdoc_rdoc.rb | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
index 68775c8..0095eb7 100644
--- a/lib/rdoc/rdoc.rb
+++ b/lib/rdoc/rdoc.rb
@@ -433,7 +433,7 @@ The internal error was:
     files.reject do |file|
       file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
         (file =~ /tags$/i and
-         open(file, 'rb') { |io|
+         File.open(file, 'rb') { |io|
            io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
          })
     end
diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
index bd47943..07541df 100644
--- a/test/rdoc/test_rdoc_rdoc.rb
+++ b/test/rdoc/test_rdoc_rdoc.rb
@@ -366,6 +366,18 @@ class TestRDocRDoc < RDoc::TestCase
     end
   end
 
+  def test_remove_unparseable_CVE_2021_31799
+    temp_dir do
+      file_list = ['| touch evil.txt && echo tags']
+      file_list.each do |f|
+        FileUtils.touch f
+      end
+
+      assert_equal file_list, @rdoc.remove_unparseable(file_list)
+      assert_equal file_list, Dir.children('.')
+    end
+  end
+
   def test_setup_output_dir
     Dir.mktmpdir {|d|
       path = File.join d, 'testdir'
-- 
1.8.3.1
fix CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 2021-07-31 14:33:04 +08:00			`From a7f5d6ab88632b3b482fe10611382ff73d14eed7 Mon Sep 17 00:00:00 2001`
			`From: aycabta <aycabta@gmail.com>`
			`Date: Sun, 2 May 2021 20:52:23 +0900`
			`Subject: [PATCH] Use File.open to fix the OS Command Injection vulnerability`
			`in CVE-2021-31799`

			`Reference:https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7`
			`---`
			`lib/rdoc/rdoc.rb \| 2 +-`
			`test/rdoc/test_rdoc_rdoc.rb \| 12 ++++++++++++`
			`2 files changed, 13 insertions(+), 1 deletion(-)`

			`diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb`
			`index 68775c8..0095eb7 100644`
			`--- a/lib/rdoc/rdoc.rb`
			`+++ b/lib/rdoc/rdoc.rb`
			`@@ -433,7 +433,7 @@ The internal error was:`
			`files.reject do \|file\|`
			`file =~ /\.(?:class\|eps\|erb\|scpt\.txt\|svg\|ttf\|yml)$/i or`
			`(file =~ /tags$/i and`
			`- open(file, 'rb') { \|io\|`
			`+ File.open(file, 'rb') { \|io\|`
			`io.read(100) =~ /\A(\f\n[^,]+,\d+$\|!_TAG_)/`
			`})`
			`end`
			`diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb`
			`index bd47943..07541df 100644`
			`--- a/test/rdoc/test_rdoc_rdoc.rb`
			`+++ b/test/rdoc/test_rdoc_rdoc.rb`
			`@@ -366,6 +366,18 @@ class TestRDocRDoc < RDoc::TestCase`
			`end`
			`end`

			`+ def test_remove_unparseable_CVE_2021_31799`
			`+ temp_dir do`
			`+ file_list = ['\| touch evil.txt && echo tags']`
			`+ file_list.each do \|f\|`
			`+ FileUtils.touch f`
			`+ end`
			`+`
			`+ assert_equal file_list, @rdoc.remove_unparseable(file_list)`
			`+ assert_equal file_list, Dir.children('.')`
			`+ end`
			`+ end`
			`+`
			`def test_setup_output_dir`
			`Dir.mktmpdir {\|d\|`
			`path = File.join d, 'testdir'`
			`--`
			`1.8.3.1`