Changeset 389

Timestamp:

02/19/10 04:13:07 (7 months ago)

Author:

walter

Message:

test AA's for equality; tighten security on file imports

Files:

• branches/dmd-1.x/src/e2ir.c (modified) (1 diff)
• branches/dmd-1.x/src/expression.c (modified) (1 diff)
• trunk/src/e2ir.c (modified) (2 diffs)
• trunk/src/expression.c (modified) (1 diff)

branches/dmd-1.x/src/e2ir.c

@@ -2025 +2025 @@
-#endif
-    e = el_bin(OPcall, TYint, el_var(rtlsym[rtlfunc]), ep);
-    if (op == TOKnotequal)
-        e = el_bin(OPxor, TYint, e, el_long(TYint, 1));
-    el_setLoc(e,loc);
+    }
+    else if (t1->ty == Taarray && t2->ty == Taarray)
+    {   TypeAArray *taa = (TypeAArray *)t1;
+    Symbol *s = taa->aaGetSymbol("Equal", 0);
+    elem *ti = taa->getTypeInfo(NULL)->toElem(irs);
+    elem *ea1 = e1->toElem(irs);
+    elem *ea2 = e2->toElem(irs);
+    // aaEqual(ti, e1, e2)
+    elem *ep = el_params(ea2, ea1, ti, NULL);
+    e = el_bin(OPcall, TYnptr, el_var(s), ep);
+    if (op == TOKnotequal)
+        e = el_bin(OPxor, TYint, e, el_long(TYint, 1));
+    el_setLoc(e,loc);
+    return e;
-    }
-    else
-    e = toElemBin(irs, eop);
-    return e;
-}

branches/dmd-1.x/src/expression.c

@@ -5255 +5255 @@
-    name = (char *)se->string;
-
-    if (!global.params.fileImppath)
-    {   error("need -Jpath switch to import text file %s", name);
-    goto Lerror;
+    }
+
+    /* Be wary of CWE-22: Improper Limitation of a Pathname to a Restricted Directory
+     * ('Path Traversal') attacks.
+     * http://cwe.mitre.org/data/definitions/22.html
+     */
+
+    /* Do harsh sanitizing by limiting the name's character set.
+     */
+    for (const char *p = name; *p; p++)
+    {
+    if (!(isalnum(*p) || *p == '.' || *p == '_'))
+    {
+        error("file name characters are restricted to [a-zA-Z0-9._] not '%c'", *p);
+        goto Lerror;
+    }
-    }
-
-    if (name != FileName::name(name))
-    {   error("use -Jpath switch to provide path for filename %s", name);
-    goto Lerror;

trunk/src/e2ir.c

@@ -1 +1 @@
-
-// Compiler implementation of the D programming language
-09
+10
-// All Rights Reserved
-// written by Walter Bright
-// http://www.digitalmars.com
-// License for redistribution is by either the Artistic License
-// in artistic.txt, or the GNU General Public License in gnu.txt.
@@ -2310 +2310 @@
-#endif
-    e = el_bin(OPcall, TYint, el_var(rtlsym[rtlfunc]), ep);
-    if (op == TOKnotequal)
-        e = el_bin(OPxor, TYint, e, el_long(TYint, 1));
-    el_setLoc(e,loc);
+    }
+    else if (t1->ty == Taarray && t2->ty == Taarray)
+    {   TypeAArray *taa = (TypeAArray *)t1;
+    Symbol *s = taa->aaGetSymbol("Equal", 0);
+    elem *ti = taa->getTypeInfo(NULL)->toElem(irs);
+    elem *ea1 = e1->toElem(irs);
+    elem *ea2 = e2->toElem(irs);
+    // aaEqual(ti, e1, e2)
+    elem *ep = el_params(ea2, ea1, ti, NULL);
+    e = el_bin(OPcall, TYnptr, el_var(s), ep);
+    if (op == TOKnotequal)
+        e = el_bin(OPxor, TYint, e, el_long(TYint, 1));
+    el_setLoc(e,loc);
+    return e;
-    }
-    else
-    e = toElemBin(irs, eop);
-    return e;
-}

trunk/src/expression.c

@@ -5599 +5599 @@
-    if (!global.params.fileImppath)
-    {   error("need -Jpath switch to import text file %s", name);
-    goto Lerror;
-    }
-
+    /* Be wary of CWE-22: Improper Limitation of a Pathname to a Restricted Directory
+     * ('Path Traversal') attacks.
+     * http://cwe.mitre.org/data/definitions/22.html
+     */
+
+    /* Do harsh sanitizing by limiting the name's character set.
+     */
+    for (const char *p = name; *p; p++)
+    {
+    if (!(isalnum(*p) || *p == '.' || *p == '_'))
+    {
+        error("file name characters are restricted to [a-zA-Z0-9._] not '%c'", *p);
+        goto Lerror;
+    }
+    }
+
-    if (name != FileName::name(name))
-    {   error("use -Jpath switch to provide path for filename %s", name);
-    goto Lerror;
-    }
-