diff options
| author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-10-11 13:48:14 +0000 |
|---|---|---|
| committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-10-11 13:48:14 +0000 |
| commit | 1281e56682692859e726e24fff30e44aac6f948b (patch) | |
| tree | 5204d7803a0a54bad202117675086ed2eed6532b /lib/rubygems | |
| parent | edda79257537a37a679b7c3a066243ff4123b0d5 (diff) | |
merge revision(s) 60149: [Backport #14003]
Merge rubygems-2.6.14 changes.
It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib/rubygems')
| -rw-r--r-- | lib/rubygems/config_file.rb | 2 | ||||
| -rw-r--r-- | lib/rubygems/package.rb | 2 | ||||
| -rw-r--r-- | lib/rubygems/package/old.rb | 2 | ||||
| -rw-r--r-- | lib/rubygems/safe_yaml.rb | 48 | ||||
| -rw-r--r-- | lib/rubygems/specification.rb | 2 |
5 files changed, 52 insertions, 4 deletions
diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb index c95d7dd1f1..63583b3616 100644 --- a/lib/rubygems/config_file.rb +++ b/lib/rubygems/config_file.rb @@ -345,7 +345,7 @@ if you believe they were disclosed to a third party. return {} unless filename and File.exist? filename begin - content = YAML.load(File.read(filename)) + content = Gem::SafeYAML.load(File.read(filename)) unless content.kind_of? Hash warn "Failed to load #{filename} because it doesn't contain valid YAML hash" return {} diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb index c36e71d800..77811ed5ec 100644 --- a/lib/rubygems/package.rb +++ b/lib/rubygems/package.rb @@ -468,7 +468,7 @@ EOM @checksums = gem.seek 'checksums.yaml.gz' do |entry| Zlib::GzipReader.wrap entry do |gz_io| - YAML.load gz_io.read + Gem::SafeYAML.safe_load gz_io.read end end end diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb index 5e722baa35..071f7141ab 100644 --- a/lib/rubygems/package/old.rb +++ b/lib/rubygems/package/old.rb @@ -101,7 +101,7 @@ class Gem::Package::Old < Gem::Package header << line end - YAML.load header + Gem::SafeYAML.safe_load header end ## diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb new file mode 100644 index 0000000000..b98cfaa5e6 --- /dev/null +++ b/lib/rubygems/safe_yaml.rb @@ -0,0 +1,48 @@ +module Gem + + ### + # This module is used for safely loading YAML specs from a gem. The + # `safe_load` method defined on this module is specifically designed for + # loading Gem specifications. For loading other YAML safely, please see + # Psych.safe_load + + module SafeYAML + WHITELISTED_CLASSES = %w( + Symbol + Time + Date + Gem::Dependency + Gem::Platform + Gem::Requirement + Gem::Specification + Gem::Version + Gem::Version::Requirement + YAML::Syck::DefaultKey + Syck::DefaultKey + ) + + WHITELISTED_SYMBOLS = %w( + development + runtime + ) + + if ::YAML.respond_to? :safe_load + def self.safe_load input + ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) + end + + def self.load input + ::YAML.safe_load(input, [::Symbol]) + end + else + warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." + def self.safe_load input, *args + ::YAML.load input + end + + def self.load input + ::YAML.load input + end + end + end +end diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb index 88e320c05a..40e3a70d47 100644 --- a/lib/rubygems/specification.rb +++ b/lib/rubygems/specification.rb @@ -1101,7 +1101,7 @@ class Gem::Specification < Gem::BasicSpecification Gem.load_yaml input = normalize_yaml_input input - spec = YAML.load input + spec = Gem::SafeYAML.safe_load input if spec && spec.class == FalseClass then raise Gem::EndOfYAMLException |