merge revision(s) 50829: [Backport #11248]

* lib/rubygems.rb: bump version to 2.0.14.1. this version fixed
  CVE-2015-3900.

* lib/rubygems/remote_fetcher.rb: ditto.

* test/rubygems/test_gem_remote_fetcher.rb: added testcase for CVE-2015-3900


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_0_0@51628 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

4 files changed, 64 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 203a33166d..305d1be2ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Tue Aug 18 22:00:12 2015  SHIBATA Hiroshi  <hsbt@ruby-lang.org>
+
+	* lib/rubygems.rb: bump version to 2.0.14.1. this version fixed
+	  CVE-2015-3900.
+
+	* lib/rubygems/remote_fetcher.rb: ditto.
+
+	* test/rubygems/test_gem_remote_fetcher.rb: added testcase for CVE-2015-3900
+
 Tue Jun  2 00:10:14 2015  NAKAMURA Usaku  <usa@ruby-lang.org>
 
 	* lib/resolv.rb (Requester#request): typo, regression introduced at
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
index 7114a3b1e0..9f18783fb4 100644
--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = '2.0.14'
+  VERSION = '2.0.14.1'
 end
 
 # Must be first since it unloads the prelude from 1.9.2
diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb
index 157a308769..facbc7a9a6 100644
--- a/lib/rubygems/remote_fetcher.rb
+++ b/lib/rubygems/remote_fetcher.rb
@@ -103,7 +103,13 @@ class Gem::RemoteFetcher
     rescue Resolv::ResolvError
       uri
     else
-      URI.parse "#{res.target}#{uri.path}"
+      target = res.target.to_s.strip
+
+      if /\.#{Regexp.quote(host)}\z/ =~ target
+        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+      end
+
+      uri
     end
   end
 
diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb
index 24ab8151fe..e3774d25a3 100644
--- a/test/rubygems/test_gem_remote_fetcher.rb
+++ b/test/rubygems/test_gem_remote_fetcher.rb
@@ -177,15 +177,60 @@ gems:
   end
 
   def test_api_endpoint
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "gems.example.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values
     uri = URI.parse "http://gems.example.com/foo"
     target = MiniTest::Mock.new
-    target.expect :target, "http://blah.com"
+    target.expect :target, "blah.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "example.combadguy.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "badexample.com"
 
     dns = MiniTest::Mock.new
     dns.expect :getresource, target, [String, Object]
 
     fetch = Gem::RemoteFetcher.new nil, dns
-    assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
 
     target.verify
     dns.verify