Added workaround for a Ruby BigDecimal bug, CVE-2009-1904. (#3475)
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2790 e93f8b46-1217-0410-a6f0-8f06a7374b81pull/351/head
parent
b3afde14fa
commit
2221d68c4d
@ -0,0 +1,30 @@ |
||||
# Copyright (c) 2009 Michael Koziarski <michael@koziarski.com> |
||||
# |
||||
# Permission to use, copy, modify, and/or distribute this software for any |
||||
# purpose with or without fee is hereby granted, provided that the above |
||||
# copyright notice and this permission notice appear in all copies. |
||||
# |
||||
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
||||
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
||||
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
||||
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
||||
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
||||
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
||||
|
||||
require 'bigdecimal' |
||||
|
||||
alias BigDecimalUnsafe BigDecimal |
||||
|
||||
|
||||
# This fixes CVE-2009-1904 however it removes legitimate functionality that your |
||||
# application may depend on. You are *strongly* advised to upgrade your ruby |
||||
# rather than relying on this fix for an extended period of time. |
||||
|
||||
def BigDecimal(initial, digits=0) |
||||
if initial.size > 255 || initial =~ /e/i |
||||
raise "Invalid big Decimal Value" |
||||
end |
||||
BigDecimalUnsafe(initial, digits) |
||||
end |
||||
|
Loading…
Reference in new issue