* lib/rubygems: Update to RubyGems 2.1.0. Fixes CVE-2013-4287.

  See http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html
  for CVE information.

  See http://rubygems.rubyforge.org/rubygems-update/History_txt.html#label-2.1.0+%2F+2013-09-09
  for release notes.

* test/rubygems:  Tests for the above.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42898 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

13 files changed, 65 insertions, 18 deletions

diff --git a/lib/rubygems.rb b/lib/rubygems.rb
index 79d9546296..51252e4773 100644
--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = '2.1.0.rc.2'
+  VERSION = '2.1.0'
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -315,7 +315,7 @@ module Gem
     @paths         = nil
     @user_home     = nil
     Gem::Specification.reset
-    Gem::Security.reset if const_defined? :Security
+    Gem::Security.reset if defined?(Gem::Security)
   end
 
   ##
diff --git a/lib/rubygems/dependency_resolver.rb b/lib/rubygems/dependency_resolver.rb
index e5c05972d8..721fd43c51 100644
--- a/lib/rubygems/dependency_resolver.rb
+++ b/lib/rubygems/dependency_resolver.rb
@@ -79,7 +79,9 @@ class Gem::DependencyResolver
     needed = nil
 
     @needed.reverse_each do |n|
-      needed = Gem::List.new(Gem::DependencyResolver::DependencyRequest.new(n, nil), needed)
+      request = Gem::DependencyResolver::DependencyRequest.new n, nil
+
+      needed = Gem::List.new request, needed
     end
 
     res = resolve_for needed, nil
@@ -162,7 +164,9 @@ class Gem::DependencyResolver
 
         # Sort them so that we try the highest versions
         # first.
-        possible = possible.sort_by { |s| [s.source, s.version] }
+        possible = possible.sort_by do |s|
+          [s.source, s.version, s.platform == Gem::Platform::RUBY ? -1 : 1]
+        end
 
         # We track the conflicts seen so that we can report them
         # to help the user figure out how to fix the situation.
diff --git a/lib/rubygems/dependency_resolver/api_specification.rb b/lib/rubygems/dependency_resolver/api_specification.rb
index 5ad07396cf..ae688780dd 100644
--- a/lib/rubygems/dependency_resolver/api_specification.rb
+++ b/lib/rubygems/dependency_resolver/api_specification.rb
@@ -8,6 +8,7 @@ class Gem::DependencyResolver::APISpecification
 
   attr_reader :dependencies
   attr_reader :name
+  attr_reader :platform
   attr_reader :set # :nodoc:
   attr_reader :version
 
@@ -15,6 +16,7 @@ class Gem::DependencyResolver::APISpecification
     @set = set
     @name = api_data[:name]
     @version = Gem::Version.new api_data[:number]
+    @platform = api_data[:platform]
     @dependencies = api_data[:dependencies].map do |name, ver|
       Gem::Dependency.new name, ver.split(/\s*,\s*/)
     end
@@ -25,6 +27,7 @@ class Gem::DependencyResolver::APISpecification
       @set          == other.set and
       @name         == other.name and
       @version      == other.version and
+      @platform     == other.platform and
       @dependencies == other.dependencies
   end
 
diff --git a/lib/rubygems/dependency_resolver/index_set.rb b/lib/rubygems/dependency_resolver/index_set.rb
index fcf919d81b..d6a05e580f 100644
--- a/lib/rubygems/dependency_resolver/index_set.rb
+++ b/lib/rubygems/dependency_resolver/index_set.rb
@@ -43,9 +43,14 @@ class Gem::DependencyResolver::IndexSet
   # Called from IndexSpecification to get a true Specification
   # object.
 
-  def load_spec name, ver, source
-    key = "#{name}-#{ver}"
-    @specs[key] ||= source.fetch_spec(Gem::NameTuple.new(name, ver))
+  def load_spec name, ver, platform, source
+    key = "#{name}-#{ver}-#{platform}"
+
+    @specs.fetch key do
+      tuple = Gem::NameTuple.new name, ver, platform
+
+      @specs[key] = source.fetch_spec tuple
+    end
   end
 
   ##
diff --git a/lib/rubygems/dependency_resolver/index_specification.rb b/lib/rubygems/dependency_resolver/index_specification.rb
index 371018ba44..d8ac69d402 100644
--- a/lib/rubygems/dependency_resolver/index_specification.rb
+++ b/lib/rubygems/dependency_resolver/index_specification.rb
@@ -8,6 +8,8 @@ class Gem::DependencyResolver::IndexSpecification
 
   attr_reader :name
 
+  attr_reader :platform
+
   attr_reader :source
 
   attr_reader :version
@@ -39,14 +41,19 @@ class Gem::DependencyResolver::IndexSpecification
       q.breakable
       q.text full_name
 
+      unless Gem::Platform::RUBY == @platform then
+        q.breakable
+        q.text @platform
+      end
+
       q.breakable
-      q.text ' source '
+      q.text 'source '
       q.pp @source
     end
   end
 
   def spec
-    @spec ||= @set.load_spec(@name, @version, @source)
+    @spec ||= @set.load_spec(@name, @version, @platform, @source)
   end
 
 end
diff --git a/lib/rubygems/dependency_resolver/installed_specification.rb b/lib/rubygems/dependency_resolver/installed_specification.rb
index af167572bf..ca20ace61e 100644
--- a/lib/rubygems/dependency_resolver/installed_specification.rb
+++ b/lib/rubygems/dependency_resolver/installed_specification.rb
@@ -26,6 +26,10 @@ class Gem::DependencyResolver::InstalledSpecification
     @spec.name
   end
 
+  def platform
+    @spec.platform
+  end
+
   def source
     @source ||= Gem::Source::Installed.new
   end
diff --git a/lib/rubygems/dependency_resolver/installer_set.rb b/lib/rubygems/dependency_resolver/installer_set.rb
index 7de052df77..c39f77a005 100644
--- a/lib/rubygems/dependency_resolver/installer_set.rb
+++ b/lib/rubygems/dependency_resolver/installer_set.rb
@@ -115,9 +115,14 @@ class Gem::DependencyResolver::InstallerSet
   # Called from IndexSpecification to get a true Specification
   # object.
 
-  def load_spec name, ver, source
-    key = "#{name}-#{ver}"
-    @specs[key] ||= source.fetch_spec Gem::NameTuple.new name, ver
+  def load_spec name, ver, platform, source
+    key = "#{name}-#{ver}-#{platform}"
+
+    @specs.fetch key do
+      tuple = Gem::NameTuple.new name, ver, platform
+
+      @specs[key] = source.fetch_spec tuple
+    end
   end
 
   ##
diff --git a/lib/rubygems/gemcutter_utilities.rb b/lib/rubygems/gemcutter_utilities.rb
index 6446cc9799..9dbc18ba98 100644
--- a/lib/rubygems/gemcutter_utilities.rb
+++ b/lib/rubygems/gemcutter_utilities.rb
@@ -77,7 +77,8 @@ module Gem::GemcutterUtilities
   # Signs in with the RubyGems API at +sign_in_host+ and sets the rubygems API
   # key.
 
-  def sign_in sign_in_host = self.host
+  def sign_in sign_in_host = nil
+    sign_in_host ||= self.host
     return if Gem.configuration.rubygems_api_key
 
     pretty_host = if Gem::DEFAULT_HOST == sign_in_host then
diff --git a/lib/rubygems/request_set.rb b/lib/rubygems/request_set.rb
index 748c320c28..a45c64e0b4 100644
--- a/lib/rubygems/request_set.rb
+++ b/lib/rubygems/request_set.rb
@@ -28,7 +28,10 @@ class Gem::RequestSet
 
     @always_install = []
     @development    = false
+    @requests       = []
     @soft_missing   = false
+    @sorted         = nil
+    @specs          = nil
 
     yield self if block_given?
   end
diff --git a/lib/rubygems/spec_fetcher.rb b/lib/rubygems/spec_fetcher.rb
index 53ff8d1f45..2ed7d4286a 100644
--- a/lib/rubygems/spec_fetcher.rb
+++ b/lib/rubygems/spec_fetcher.rb
@@ -200,8 +200,11 @@ class Gem::SpecFetcher
                 when :released
                   tuples_for source, :released
                 when :complete
-                  tuples_for(source, :prerelease, true) +
+                  names =
+                    tuples_for(source, :prerelease, true) +
                     tuples_for(source, :released)
+
+                  names.sort
                 when :prerelease
                   tuples_for(source, :prerelease)
                 else
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
index 49cf25d772..12943a3e24 100644
--- a/lib/rubygems/specification.rb
+++ b/lib/rubygems/specification.rb
@@ -34,7 +34,7 @@ class Date; end
 #     s.homepage    = 'https://rubygems.org/gems/example'
 #   end
 #
-# Starting in RubyGems 1.9.0, a Specification can hold arbitrary
+# Starting in RubyGems 2.0, a Specification can hold arbitrary
 # metadata. This metadata is accessed via Specification#metadata
 # and has the following restrictions:
 #
@@ -2097,7 +2097,6 @@ class Gem::Specification < Gem::BasicSpecification
   # Returns an object you can use to sort specifications in #sort_by.
 
   def sort_obj
-    # TODO: this is horrible. Deprecate it.
     [@name, @version, @new_platform == Gem::Platform::RUBY ? -1 : 1]
   end
 
diff --git a/lib/rubygems/test_case.rb b/lib/rubygems/test_case.rb
index 5d59e35403..d6c1a36ad1 100644
--- a/lib/rubygems/test_case.rb
+++ b/lib/rubygems/test_case.rb
@@ -1097,7 +1097,11 @@ Also, a list:
 
   class StaticSet
     def initialize(specs)
-      @specs = specs.sort_by { |s| s.full_name }
+      @specs = specs
+    end
+
+    def add spec
+      @specs << spec
     end
 
     def find_spec(dep)
@@ -1110,6 +1114,15 @@ Also, a list:
       @specs.find_all { |s| dep.matches_spec? s }
     end
 
+    def load_spec name, ver, platform, source
+      dep = Gem::Dependency.new name, ver
+      spec = find_spec dep
+
+      Gem::Specification.new spec.name, spec.version do |s|
+        s.platform = spec.platform
+      end
+    end
+
     def prefetch(reqs)
     end
   end
diff --git a/lib/rubygems/version.rb b/lib/rubygems/version.rb
index fa9bbc5a9d..2e546462d4 100644
--- a/lib/rubygems/version.rb
+++ b/lib/rubygems/version.rb
@@ -147,7 +147,7 @@ class Gem::Version
 
   # FIX: These are only used once, in .correct?. Do they deserve to be
   # constants?
-  VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
+  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc:
   ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
 
   ##