diff options
| author | hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-03-05 03:32:58 +0000 |
|---|---|---|
| committer | hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-03-05 03:32:58 +0000 |
| commit | 08f8cfe14e0f8937e3bcf8a22becdc5ce60b920e (patch) | |
| tree | 30977064b5f93f9ac5b01b2a676f6d6ffdcec652 /lib/rubygems/package.rb | |
| parent | 593505ac6f802d2b5bff469425b7c76b65cc9b10 (diff) | |
Merge RubyGems upstream: 56c0bbb69e4506bda7ef7f447dfec5db820df20b
It fixed the multiple vulnerabilities.
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib/rubygems/package.rb')
| -rw-r--r-- | lib/rubygems/package.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb index 278ada8514..16cf0c173a 100644 --- a/lib/rubygems/package.rb +++ b/lib/rubygems/package.rb @@ -459,6 +459,16 @@ EOM raise Gem::Package::PathError.new(destination, destination_dir) unless destination.start_with? destination_dir + '/' + begin + real_destination = File.expand_path(File.realpath(destination)) + rescue + # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage + nil + else + raise Gem::Package::PathError.new(real_destination, destination_dir) unless + real_destination.start_with? destination_dir + '/' + end + destination.untaint destination end |