diff options
author | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-08-18 13:01:02 +0000 |
---|---|---|
committer | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-08-18 13:01:02 +0000 |
commit | ec54e6433f3168c5d315bf4bbe84896f2c4fbbe7 (patch) | |
tree | 54b7e779326623320a296ff39c9df675788caaaf | |
parent | bd00df2f1a96356bc669b39c797cacff65193acd (diff) |
merge revision(s) 50829: [Backport #11248]
* lib/rubygems.rb: bump version to 2.0.14.1. this version fixed
CVE-2015-3900.
* lib/rubygems/remote_fetcher.rb: ditto.
* test/rubygems/test_gem_remote_fetcher.rb: added testcase for CVE-2015-3900
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_0_0@51628 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | lib/rubygems.rb | 2 | ||||
-rw-r--r-- | lib/rubygems/remote_fetcher.rb | 8 | ||||
-rw-r--r-- | test/rubygems/test_gem_remote_fetcher.rb | 49 |
4 files changed, 64 insertions, 4 deletions
@@ -1,3 +1,12 @@ +Tue Aug 18 22:00:12 2015 SHIBATA Hiroshi <hsbt@ruby-lang.org> + + * lib/rubygems.rb: bump version to 2.0.14.1. this version fixed + CVE-2015-3900. + + * lib/rubygems/remote_fetcher.rb: ditto. + + * test/rubygems/test_gem_remote_fetcher.rb: added testcase for CVE-2015-3900 + Tue Jun 2 00:10:14 2015 NAKAMURA Usaku <usa@ruby-lang.org> * lib/resolv.rb (Requester#request): typo, regression introduced at diff --git a/lib/rubygems.rb b/lib/rubygems.rb index 7114a3b1e0..9f18783fb4 100644 --- a/lib/rubygems.rb +++ b/lib/rubygems.rb @@ -8,7 +8,7 @@ require 'rbconfig' module Gem - VERSION = '2.0.14' + VERSION = '2.0.14.1' end # Must be first since it unloads the prelude from 1.9.2 diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb index 157a308769..facbc7a9a6 100644 --- a/lib/rubygems/remote_fetcher.rb +++ b/lib/rubygems/remote_fetcher.rb @@ -103,7 +103,13 @@ class Gem::RemoteFetcher rescue Resolv::ResolvError uri else - URI.parse "#{res.target}#{uri.path}" + target = res.target.to_s.strip + + if /\.#{Regexp.quote(host)}\z/ =~ target + return URI.parse "#{uri.scheme}://#{target}#{uri.path}" + end + + uri end end diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb index 24ab8151fe..e3774d25a3 100644 --- a/test/rubygems/test_gem_remote_fetcher.rb +++ b/test/rubygems/test_gem_remote_fetcher.rb @@ -177,15 +177,60 @@ gems: end def test_api_endpoint + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "gems.example.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values uri = URI.parse "http://gems.example.com/foo" target = MiniTest::Mock.new - target.expect :target, "http://blah.com" + target.expect :target, "blah.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "example.combadguy.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values_that_end_with_original + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "badexample.com" dns = MiniTest::Mock.new dns.expect :getresource, target, [String, Object] fetch = Gem::RemoteFetcher.new nil, dns - assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri) + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) target.verify dns.verify |