* lib/rubygems/commands/push_command.rb: Fixed credential download for

`gem push --host` * lib/rubygems/gemcutter_utilities.rb: ditto. * test/rubygems/test_gem_commands_push_command.rb: Test for the above. * test/rubygems/test_gem_gemcutter_utilities.rb: ditto. * lib/rubygems/config_file.rb: Abort if the `gem push` credentials file has insecure permissions. * test/rubygems/test_gem_config_file.rb: Test for the above. * lib/rubygems/ext/builder.rb: Do not look for Gemfile, Isolate, etc. while building gem extensions. * lib/rubygems/package.rb: Unset spec and files list if a gem's signatures cannot be verified. * test/rubygems/test_gem_package.rb: Test for the above. * lib/rubygems/specification.rb: Reduce use of eval. * lib/rubygems/test_case.rb: ditto. * test/rubygems/test_gem_specification.rb: Test setting specification_version for legacy gems. Dup Gem.ruby before untainting in case it's frozen. * lib/rubygems.rb: Reduce use of eval. Only read files when looking for Gemfile, Isolate, etc. * test/rubygems/test_gem.rb: Test for the above. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39055 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2013-02-05 02:37:35 +0000
committer: drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2013-02-05 02:37:35 +0000
commit: 1633e543db2cc5c1f690840e5e7ea1f2a9af0b55 (patch)
tree: 2fce34d522a822171b91823dfcf9e0b8a2c9d283 /lib/rubygems/config_file.rb
parent: 6dfd56696fb49310149dc5ed7af52c8d7f43e536 (diff)
1 files changed, 35 insertions, 1 deletions
diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
index 81ee32a1d6..7e1432b349 100644
--- a/lib/rubygems/config_file.rb
+++ b/lib/rubygems/config_file.rb
@@ -33,6 +33,8 @@
 
 class Gem::ConfigFile
 
+  include Gem::UserInteraction
+
   DEFAULT_BACKTRACE = false
   DEFAULT_BULK_THRESHOLD = 1000
   DEFAULT_VERBOSITY = true
@@ -224,6 +226,34 @@ class Gem::ConfigFile
   end
 
   ##
+  # Checks the permissions of the credentials file.  If they are not 0600 an
+  # error message is displayed and RubyGems aborts.
+
+  def check_credentials_permissions
+    return unless File.exist? credentials_path
+
+    existing_permissions = File.stat(credentials_path).mode & 0777
+
+    return if existing_permissions == 0600
+
+    alert_error <<-ERROR
+Your gem push credentials file located at:
+
+\t#{credentials_path}
+
+has file permissions of 0#{existing_permissions.to_s 8} but 0600 is required.
+
+You should reset your credentials at:
+
+\thttps://rubygems.org/profile/edit
+
+if you believe they were disclosed to a third party.
+    ERROR
+
+    terminate_interaction 1
+  end
+
+  ##
   # Location of RubyGems.org credentials
 
   def credentials_path
@@ -231,6 +261,8 @@ class Gem::ConfigFile
   end
 
   def load_api_keys
+    check_credentials_permissions
+
     @api_keys = if File.exist? credentials_path then
                   load_file(credentials_path)
                 else
@@ -243,7 +275,9 @@ class Gem::ConfigFile
     end
   end
 
-  def rubygems_api_key=(api_key)
+  def rubygems_api_key= api_key
+    check_credentials_permissions
+
     config = load_file(credentials_path).merge(:rubygems_api_key => api_key)
 
     dirname = File.dirname credentials_path
author	drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2013-02-05 02:37:35 +0000
committer	drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2013-02-05 02:37:35 +0000
commit	1633e543db2cc5c1f690840e5e7ea1f2a9af0b55 (patch)
tree	2fce34d522a822171b91823dfcf9e0b8a2c9d283 /lib/rubygems/config_file.rb
parent	6dfd56696fb49310149dc5ed7af52c8d7f43e536 (diff)