Skip to content

Commit

Permalink
Vertical-bar is disallowed in path names on Windows
Browse files Browse the repository at this point in the history
No risk of remote code execution, when the file cannot be created.

https://github.com/ruby/rdoc/runs/2565343916?check_suite_focus=true#step:5:58
```
Error: test_remove_unparseable_CVE_2021_31799(TestRDocRDoc): Errno::EINVAL: Invalid argument @ utime_failed - | touch evil.txt && echo tags
D:/rubyinstaller-head-x64/lib/ruby/3.1.0/fileutils.rb:1142:in `utime'
D:/rubyinstaller-head-x64/lib/ruby/3.1.0/fileutils.rb:1142:in `block in touch'
D:/rubyinstaller-head-x64/lib/ruby/3.1.0/fileutils.rb:1139:in `each'
D:/rubyinstaller-head-x64/lib/ruby/3.1.0/fileutils.rb:1139:in `touch'
D:/a/rdoc/rdoc/test/rdoc/test_rdoc_rdoc.rb:463:in `block (2 levels) in test_remove_unparseable_CVE_2021_31799'
     460:     temp_dir do
     461:       file_list = ['| touch evil.txt && echo tags']
     462:       file_list.each do |f|
  => 463:         FileUtils.touch f
     464:       end
     465:
     466:       assert_equal file_list, @rdoc.remove_unparseable(file_list)
```
  • Loading branch information
nobu authored and hsbt committed Nov 11, 2021
1 parent 3653bbc commit 61414e4
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion test/rdoc/test_rdoc_rdoc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,7 @@ def test_remove_unparseable_CVE_2021_31799
temp_dir do
file_list = ['| touch evil.txt && echo tags']
file_list.each do |f|
FileUtils.touch f
FileUtils.touch f rescue omit
end

assert_equal file_list, @rdoc.remove_unparseable(file_list)
Expand Down

0 comments on commit 61414e4

Please sign in to comment.