From 2221d68c4d2c208f5aebc511988cc080a3b74cdf Mon Sep 17 00:00:00 2001 From: Eric Davis Date: Sun, 14 Jun 2009 16:22:23 +0000 Subject: [PATCH] Added workaround for a Ruby BigDecimal bug, CVE-2009-1904. (#3475) git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2790 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- .../initializers/bigdecimal-segfault-fix.rb | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 config/initializers/bigdecimal-segfault-fix.rb diff --git a/config/initializers/bigdecimal-segfault-fix.rb b/config/initializers/bigdecimal-segfault-fix.rb new file mode 100644 index 000000000..8fb3bf9ee --- /dev/null +++ b/config/initializers/bigdecimal-segfault-fix.rb @@ -0,0 +1,30 @@ +# Copyright (c) 2009 Michael Koziarski +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +require 'bigdecimal' + +alias BigDecimalUnsafe BigDecimal + + +# This fixes CVE-2009-1904 however it removes legitimate functionality that your +# application may depend on. You are *strongly* advised to upgrade your ruby +# rather than relying on this fix for an extended period of time. + +def BigDecimal(initial, digits=0) + if initial.size > 255 || initial =~ /e/i + raise "Invalid big Decimal Value" + end + BigDecimalUnsafe(initial, digits) +end +