Package: ruby-odbc
Version: 0.99998-2
Severity: normal
Tags: patch
Dear Maintainer,
As I mentioned at the end of:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941707
Using ruby-odbc under Bullseye's Ruby generates warnings of the deprecation of
tainting, as can be demonstrated by running the simplest of SQL queries:
$ ruby -e 'require "makeTdConnection"; db = makeTdConnection();
db.execute("select 0").finish();'
$
If warnings are enabled, the same becomes:
$ ruby -we 'require "makeTdConnection"; db = makeTdConnection();
db.execute("select 0").finish();'
/usr/lib/ruby/vendor_ruby/dbd/odbc/statement.rb:89: warning:
rb_tainted_str_new_cstr is deprecated and will be removed in Ruby 3.2.
/usr/lib/ruby/vendor_ruby/dbd/odbc/statement.rb:89: warning:
rb_tainted_str_new_cstr is deprecated and will be removed in Ruby 3.2.
/usr/lib/ruby/vendor_ruby/dbd/odbc/statement.rb:89: warning:
rb_tainted_str_new_cstr is deprecated and will be removed in Ruby 3.2.
/usr/lib/ruby/vendor_ruby/dbd/odbc/statement.rb:89: warning:
rb_tainted_str_new_cstr is deprecated and will be removed in Ruby 3.2.
$
I attach a rather simple-minded, understanding-free patch that we've been using
without incident since 2023-04-16.
-- System Information:
Debian Release: 11.7
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500,
'proposed-updates-debug'), (500, 'oldoldstable'), (500, 'stable'), (500,
'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-22-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ruby-odbc depends on:
ii libc6 2.31-13+deb11u6
ii libodbc1 2.3.6-0.1+b1
ii libruby2.7 2.7.4-1+deb11u1
ii odbcinst1debian2 2.3.6-0.1+b1
ii ruby 1:2.7+2
ii ruby1.8 [ruby] 1.8.7.358-7.1+deb7u6
ii unixodbc 2.3.6-0.1+b1
ruby-odbc recommends no packages.
ruby-odbc suggests no packages.
-- no debconf information
--- ext/odbc.c.orig 2023-04-16 13:02:20.028926480 -0700
+++ ext/odbc.c 2023-04-16 12:59:56.947862615 -0700
@@ -69,6 +69,16 @@
#include "ruby/thread.h"
#endif
+#if 0
+#define MAYBE_OBJ_TAINT(obj) rb_obj_taint(obj)
+#define MAYBE_TAINTED_STR_NEW(ptr, len) rb_tainted_str_new(ptr, len)
+#define MAYBE_TAINTED_STR_NEW2(ptr) rb_tainted_str_new2(ptr)
+#else
+#define MAYBE_OBJ_TAINT(obj) obj
+#define MAYBE_TAINTED_STR_NEW(ptr, len) rb_str_new(ptr, len)
+#define MAYBE_TAINTED_STR_NEW2(ptr) rb_str_new_cstr(ptr)
+#endif
+
/*
* Conditionally undefine aliases of ODBC installer UNICODE functions.
*/
@@ -1371,7 +1381,7 @@
if ((cp != NULL) && (str != NULL)) {
ulen = mkutf(cp, str, len);
}
- v = rb_tainted_str_new((cp != NULL) ? cp : "", ulen);
+ v = MAYBE_TAINTED_STR_NEW((cp != NULL) ? cp : "", ulen);
#ifdef USE_RB_ENC
rb_enc_associate(v, rb_enc);
#endif
@@ -1861,7 +1871,7 @@
rb_enc_associate(v, rb_enc);
#endif
a = rb_ary_new2(1);
- rb_ary_push(a, rb_obj_taint(v));
+ rb_ary_push(a, MAYBE_OBJ_TAINT(v));
CVAR_SET(Cobj, warn ? IDatatinfo : IDataterror, a);
return STR2CSTR(v);
}
@@ -1939,7 +1949,7 @@
v0 = v;
a = rb_ary_new();
}
- rb_ary_push(a, rb_obj_taint(v));
+ rb_ary_push(a, MAYBE_OBJ_TAINT(v));
tracemsg(1, fprintf(stderr, " | %s\n", STR2CSTR(v)););
}
}
@@ -2035,7 +2045,7 @@
v0 = v;
a = rb_ary_new();
}
- rb_ary_push(a, rb_obj_taint(v));
+ rb_ary_push(a, MAYBE_OBJ_TAINT(v));
tracemsg(1, fprintf(stderr, " | %s\n", STR2CSTR(v)););
}
}
@@ -2289,7 +2299,7 @@
buf[SQL_MAX_MESSAGE_LENGTH] = '\0';
v = rb_str_new2(buf);
a = rb_ary_new2(1);
- rb_ary_push(a, rb_obj_taint(v));
+ rb_ary_push(a, MAYBE_OBJ_TAINT(v));
CVAR_SET(Cobj, IDataterror, a);
rb_raise(Cerror, "%s", buf);
return Qnil;
@@ -2379,8 +2389,8 @@
#else
dsnLen = (dsnLen == 0) ? (SQLSMALLINT) strlen(dsn) : dsnLen;
descrLen = (descrLen == 0) ? (SQLSMALLINT) strlen(descr) : descrLen;
- rb_iv_set(odsn, "@name", rb_tainted_str_new(dsn, dsnLen));
- rb_iv_set(odsn, "@descr", rb_tainted_str_new(descr, descrLen));
+ rb_iv_set(odsn, "@name", MAYBE_TAINTED_STR_NEW(dsn, dsnLen));
+ rb_iv_set(odsn, "@descr", MAYBE_TAINTED_STR_NEW(descr, descrLen));
#endif
rb_ary_push(aret, odsn);
first = dsnLen = descrLen = 0;
@@ -2444,13 +2454,13 @@
}
#else
driverLen = (driverLen == 0) ? (SQLSMALLINT) strlen(driver) : driverLen;
- rb_iv_set(odrv, "@name", rb_tainted_str_new(driver, driverLen));
+ rb_iv_set(odrv, "@name", MAYBE_TAINTED_STR_NEW(driver, driverLen));
for (attr = attrs; *attr; attr += strlen(attr) + 1) {
char *p = strchr(attr, '=');
if ((p != NULL) && (p != attr)) {
- rb_hash_aset(h, rb_tainted_str_new(attr, p - attr),
- rb_tainted_str_new2(p + 1));
+ rb_hash_aset(h, MAYBE_TAINTED_STR_NEW(attr, p - attr),
+ MAYBE_TAINTED_STR_NEW2(p + 1));
count++;
}
}
@@ -2759,7 +2769,7 @@
if (SQLReadFileDSN((LPCSTR) sfname, (LPCSTR) saname,
(LPCSTR) skname, (LPSTR) valbuf,
sizeof (valbuf), NULL)) {
- return rb_tainted_str_new2((char *) valbuf);
+ return MAYBE_TAINTED_STR_NEW2((char *) valbuf);
}
}
#else
@@ -2769,7 +2779,7 @@
valbuf[0] = '\0';
if (SQLReadFileDSN(sfname, saname, skname, valbuf,
sizeof (valbuf), NULL)) {
- return rb_tainted_str_new2(valbuf);
+ return MAYBE_TAINTED_STR_NEW2(valbuf);
}
#endif
#if defined(HAVE_SQLINSTALLERERROR) || (defined(UNICODE) &&
defined(HAVE_SQLINSTALLERERRORW))
@@ -4548,7 +4558,7 @@
len = 0;
}
mkutf(tmp, name, len);
- v = rb_tainted_str_new2(upcase_if(tmp, 1));
+ v = MAYBE_TAINTED_STR_NEW2(upcase_if(tmp, 1));
#ifdef USE_RB_ENC
rb_enc_associate(v, rb_enc);
#endif
@@ -4560,7 +4570,7 @@
rb_iv_set(obj, "@name", uc_tainted_str_new2(name));
}
#else
- rb_iv_set(obj, "@name", rb_tainted_str_new2(upcase_if(name, upc)));
+ rb_iv_set(obj, "@name", MAYBE_TAINTED_STR_NEW2(upcase_if(name, upc)));
#endif
v = Qnil;
name[0] = 0;
@@ -4578,7 +4588,7 @@
#ifdef UNICODE
v = uc_tainted_str_new2(name);
#else
- v = rb_tainted_str_new2(name);
+ v = MAYBE_TAINTED_STR_NEW2(name);
#endif
}
rb_iv_set(obj, "@table", v);
@@ -6670,7 +6680,7 @@
break;
#endif
case SQL_C_CHAR:
- v = rb_tainted_str_new(q->paraminfo[vnum].outbuf,
+ v = MAYBE_TAINTED_STR_NEW(q->paraminfo[vnum].outbuf,
q->paraminfo[vnum].rlen);
break;
}
@@ -6746,7 +6756,7 @@
return uc_tainted_str_new(cname, cnLen);
#else
cnLen = (cnLen == 0) ? (SQLSMALLINT) strlen((char *) cname) : cnLen;
- return rb_tainted_str_new((char *) cname, cnLen);
+ return MAYBE_TAINTED_STR_NEW((char *) cname, cnLen);
#endif
}
if (TYPE(cn) != T_STRING) {
@@ -6832,7 +6842,7 @@
sprintf(buf, "#%d", i);
name = rb_str_dup(name);
- name = rb_obj_taint(rb_str_cat2(name, buf));
+ name = MAYBE_OBJ_TAINT(rb_str_cat2(name, buf));
}
rb_hash_aset(res, name, obj);
}
@@ -7081,7 +7091,7 @@
}
for (i = 0; i < 4 * q->ncols; i++) {
res = colbuf[i / q->ncols];
- cname = rb_tainted_str_new2(q->colnames[i]);
+ cname = MAYBE_TAINTED_STR_NEW2(q->colnames[i]);
#ifdef USE_RB_ENC
rb_enc_associate(cname, rb_enc);
#endif
@@ -7089,7 +7099,7 @@
if (rb_funcall(res, IDkeyp, 1, cname) == Qtrue) {
char *p;
- cname = rb_tainted_str_new2(q->colnames[i]);
+ cname = MAYBE_TAINTED_STR_NEW2(q->colnames[i]);
#ifdef USE_RB_ENC
rb_enc_associate(cname, rb_enc);
#endif
@@ -7330,7 +7340,7 @@
break;
#endif
default:
- v = rb_tainted_str_new(valp, curlen);
+ v = MAYBE_TAINTED_STR_NEW(valp, curlen);
break;
}
}
@@ -7343,14 +7353,14 @@
valp = q->colnames[i + offc];
name = (q->colvals == NULL) ? Qnil : q->colvals[i + offc];
if (name == Qnil) {
- name = rb_tainted_str_new2(valp);
+ name = MAYBE_TAINTED_STR_NEW2(valp);
#ifdef USE_RB_ENC
rb_enc_associate(name, rb_enc);
#endif
if (rb_funcall(res, IDkeyp, 1, name) == Qtrue) {
char *p;
- name = rb_tainted_str_new2(valp);
+ name = MAYBE_TAINTED_STR_NEW2(valp);
#ifdef USE_RB_ENC
rb_enc_associate(name, rb_enc);
#endif
