summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordrbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2013-11-22 18:53:21 +0000
committerdrbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2013-11-22 18:53:21 +0000
commite8e18cff7a7f61e4cf3ee390e1d6da31ecb9a9e4 (patch)
tree11423007aa0b1cde32fe3c95086772967810b20e
parent0a5fc9c35fb0325ac7ee9b9eae65408b17f7add9 (diff)
* lib/rubygems: Update to RubyGems master dcce4ff. Important changes
in this commit: Remove automatic detection of gem dependencies files. This prevents a security hole as described in [ruby-core:58490] Fixed bugs for installing git gems. * test/rubygems: ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@43806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog12
-rw-r--r--lib/rubygems.rb14
-rw-r--r--lib/rubygems/resolver/composed_set.rb6
-rw-r--r--lib/rubygems/source/git.rb6
-rw-r--r--lib/rubygems/specification.rb2
-rw-r--r--test/rubygems/test_gem.rb18
-rw-r--r--test/rubygems/test_gem_source_git.rb4
-rw-r--r--test/rubygems/test_gem_specification.rb4
8 files changed, 57 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index fffcc76..2540307 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+Sat Nov 23 03:44:03 2013 Eric Hodel <drbrain@segment7.net>
+
+ * lib/rubygems: Update to RubyGems master dcce4ff. Important changes
+ in this commit:
+
+ Remove automatic detection of gem dependencies files. This prevents a
+ security hole as described in [ruby-core:58490]
+
+ Fixed bugs for installing git gems.
+
+ * test/rubygems: ditto.
+
Fri Nov 22 22:30:00 2013 Kenta Murata <mrkn@mrkn.jp>
* ext/bigdecimal/bigdecimal.c (BigDecimal_power):
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
index a6c97ed..8a0d992 100644
--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
@@ -8,7 +8,7 @@
require 'rbconfig'
module Gem
- VERSION = '2.2.0.preview.2'
+ VERSION = '2.2.0'
end
# Must be first since it unloads the prelude from 1.9.2
@@ -995,12 +995,16 @@ module Gem
# Looks for gem dependency files (gem.deps.rb, Gemfile, Isolate) from the
# current directory up and activates the gems in the first file found.
#
- # This is run automatically when rubygems starts. To disable, set
- # the <code>RUBYGEMS_GEMDEPS=</code> environment variable to an empty
- # string.
+ # You can run this automatically when rubygems starts. To enable, set
+ # the <code>RUBYGEMS_GEMDEPS</code> environment variable to either the path
+ # of your Gemfile or "-" to auto-discover in parent directories.
+ #
+ # NOTE: Enabling automatic discovery on multiuser systems can lead to
+ # execution of arbitrary code when used from directories outside your
+ # control.
def self.use_gemdeps
- return unless path = ENV['RUBYGEMS_GEMDEPS'] || '-'
+ return unless path = ENV['RUBYGEMS_GEMDEPS']
path = path.dup.untaint
if path == "-"
diff --git a/lib/rubygems/resolver/composed_set.rb b/lib/rubygems/resolver/composed_set.rb
index 702bd9c..19227e0 100644
--- a/lib/rubygems/resolver/composed_set.rb
+++ b/lib/rubygems/resolver/composed_set.rb
@@ -23,9 +23,9 @@ class Gem::Resolver::ComposedSet < Gem::Resolver::Set
# Finds all specs matching +req+ in all sets.
def find_all req
- res = []
- @sets.each { |s| res += s.find_all(req) }
- res
+ @sets.map do |s|
+ s.find_all req
+ end.flatten
end
##
diff --git a/lib/rubygems/source/git.rb b/lib/rubygems/source/git.rb
index 8269092..c4f2724 100644
--- a/lib/rubygems/source/git.rb
+++ b/lib/rubygems/source/git.rb
@@ -121,6 +121,12 @@ class Gem::Source::Git < Gem::Source
end
##
+ # Nothing to download for git gems
+
+ def download full_spec, path # :nodoc:
+ end
+
+ ##
# The directory where the git gem will be installed.
def install_dir # :nodoc:
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
index 22e2981..2bcc2c0 100644
--- a/lib/rubygems/specification.rb
+++ b/lib/rubygems/specification.rb
@@ -2177,7 +2177,7 @@ class Gem::Specification < Gem::BasicSpecification
# Used by Gem::Resolver to order Gem::Specification objects
def source # :nodoc:
- self
+ Gem::Source::Installed.new
end
##
diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb
index 33d4b25..44b6c4a 100644
--- a/test/rubygems/test_gem.rb
+++ b/test/rubygems/test_gem.rb
@@ -1258,6 +1258,24 @@ class TestGem < Gem::TestCase
Gem.use_gemdeps
+ refute spec.activated?
+ ensure
+ ENV['RUBYGEMS_GEMDEPS'] = rubygems_gemdeps
+ end
+
+ def test_use_gemdeps_automatic
+ rubygems_gemdeps, ENV['RUBYGEMS_GEMDEPS'] = ENV['RUBYGEMS_GEMDEPS'], '-'
+
+ spec = util_spec 'a', 1
+
+ refute spec.activated?
+
+ open 'Gemfile', 'w' do |io|
+ io.write 'gem "a"'
+ end
+
+ Gem.use_gemdeps
+
assert spec.activated?
ensure
ENV['RUBYGEMS_GEMDEPS'] = rubygems_gemdeps
diff --git a/test/rubygems/test_gem_source_git.rb b/test/rubygems/test_gem_source_git.rb
index 9cdcbc0..e32649c 100644
--- a/test/rubygems/test_gem_source_git.rb
+++ b/test/rubygems/test_gem_source_git.rb
@@ -51,6 +51,10 @@ class TestGemSourceGit < Gem::TestCase
assert_equal @head[0..11], @source.dir_shortref
end
+ def test_download
+ refute @source.download nil, nil
+ end
+
def test_equals2
assert_equal @source, @source
diff --git a/test/rubygems/test_gem_specification.rb b/test/rubygems/test_gem_specification.rb
index d08e77f..b637212 100644
--- a/test/rubygems/test_gem_specification.rb
+++ b/test/rubygems/test_gem_specification.rb
@@ -1738,6 +1738,10 @@ dependencies: []
RbConfig::CONFIG['ENABLE_SHARED'] = enable_shared
end
+ def test_source
+ assert_kind_of Gem::Source::Installed, @a1.source
+ end
+
def test_full_require_paths
ext_spec