merge revision(s) 60149: [Backport #14003]

Merge rubygems-2.6.14 changes. It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@60946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2017-11-30 14:29:32 +0000
committer: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2017-11-30 14:29:32 +0000
commit: 9ad02399920e67053063b122f10e9973c50d6ed8 (patch)
tree: 2b44b40fa1cb1bcbd8f1f76172bdd8f919d378bc
parent: 463a56d14b9241c8631d71d286760ea092d70c36 (diff)
8 files changed, 65 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 2d1f21f197..b5822344fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Thu Nov 30 23:29:00 2017  SHIBATA Hiroshi  <hsbt@ruby-lang.org>
+
+	Merge rubygems-2.6.14 changes.
+
+	It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
+
 Fri Sep 15 05:40:40 2017  URABE Shyouhei  <shyouhei@ruby-lang.org>
 
 	fix --with-gmp (broken by r57490)
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
index 9c0219ce06..fd4075a632 100644
--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
@@ -10,7 +10,7 @@ require 'rbconfig'
 require 'thread'
 
 module Gem
-  VERSION = '2.5.2.1'
+  VERSION = '2.5.2.2'
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -602,7 +602,7 @@ module Gem
 
     unless test_syck
       begin
-        gem 'psych', '>= 1.2.1'
+        gem 'psych', '>= 2.0.0'
       rescue Gem::LoadError
         # It's OK if the user does not have the psych gem installed.  We will
         # attempt to require the stdlib version
@@ -626,6 +626,7 @@ module Gem
     end
 
     require 'yaml'
+    require 'rubygems/safe_yaml'
 
     # If we're supposed to be using syck, then we may have to force
     # activate it via the YAML::ENGINE API.
diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
index de90cbfd65..2bcd830f38 100644
--- a/lib/rubygems/config_file.rb
+++ b/lib/rubygems/config_file.rb
@@ -332,7 +332,7 @@ if you believe they were disclosed to a third party.
     return {} unless filename and File.exist? filename
 
     begin
-      content = YAML.load(File.read(filename))
+      content = Gem::SafeYAML.load(File.read(filename))
       unless content.kind_of? Hash
         warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
         return {}
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
index 0d9adba26e..ab49ea2d2c 100644
--- a/lib/rubygems/package.rb
+++ b/lib/rubygems/package.rb
@@ -466,7 +466,7 @@ EOM
 
     @checksums = gem.seek 'checksums.yaml.gz' do |entry|
       Zlib::GzipReader.wrap entry do |gz_io|
-        YAML.load gz_io.read
+        Gem::SafeYAML.safe_load gz_io.read
       end
     end
   end
diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb
index 5e722baa35..071f7141ab 100644
--- a/lib/rubygems/package/old.rb
+++ b/lib/rubygems/package/old.rb
@@ -101,7 +101,7 @@ class Gem::Package::Old < Gem::Package
       header << line
     end
 
-    YAML.load header
+    Gem::SafeYAML.safe_load header
   end
 
   ##
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
new file mode 100644
index 0000000000..b98cfaa5e6
--- /dev/null
+++ b/lib/rubygems/safe_yaml.rb
@@ -0,0 +1,48 @@
+module Gem
+
+  ###
+  # This module is used for safely loading YAML specs from a gem.  The
+  # `safe_load` method defined on this module is specifically designed for
+  # loading Gem specifications.  For loading other YAML safely, please see
+  # Psych.safe_load
+
+  module SafeYAML
+    WHITELISTED_CLASSES = %w(
+      Symbol
+      Time
+      Date
+      Gem::Dependency
+      Gem::Platform
+      Gem::Requirement
+      Gem::Specification
+      Gem::Version
+      Gem::Version::Requirement
+      YAML::Syck::DefaultKey
+      Syck::DefaultKey
+    )
+
+    WHITELISTED_SYMBOLS = %w(
+      development
+      runtime
+    )
+
+    if ::YAML.respond_to? :safe_load
+      def self.safe_load input
+        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
+      end
+
+      def self.load input
+        ::YAML.safe_load(input, [::Symbol])
+      end
+    else
+      warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
+      def self.safe_load input, *args
+        ::YAML.load input
+      end
+
+      def self.load input
+        ::YAML.load input
+      end
+    end
+  end
+end
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
index dd4fde1776..de324d76d9 100644
--- a/lib/rubygems/specification.rb
+++ b/lib/rubygems/specification.rb
@@ -1101,7 +1101,7 @@ class Gem::Specification < Gem::BasicSpecification
     Gem.load_yaml
 
     input = normalize_yaml_input input
-    spec = YAML.load input
+    spec = Gem::SafeYAML.safe_load input
 
     if spec && spec.class == FalseClass then
       raise Gem::EndOfYAMLException
diff --git a/version.h b/version.h
index cd95e5482c..26b69494e8 100644
--- a/version.h
+++ b/version.h
@@ -1,10 +1,10 @@
 #define RUBY_VERSION "2.3.6"
-#define RUBY_RELEASE_DATE "2017-09-15"
-#define RUBY_PATCHLEVEL 378
+#define RUBY_RELEASE_DATE "2017-11-30"
+#define RUBY_PATCHLEVEL 379
 
 #define RUBY_RELEASE_YEAR 2017
-#define RUBY_RELEASE_MONTH 9
-#define RUBY_RELEASE_DAY 15
+#define RUBY_RELEASE_MONTH 11
+#define RUBY_RELEASE_DAY 30
 
 #include "ruby/version.h"
author	usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2017-11-30 14:29:32 +0000
committer	usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2017-11-30 14:29:32 +0000
commit	9ad02399920e67053063b122f10e9973c50d6ed8 (patch)
tree	2b44b40fa1cb1bcbd8f1f76172bdd8f919d378bc
parent	463a56d14b9241c8631d71d286760ea092d70c36 (diff)