Age | Commit message (Collapse) | Author |
|
Fix a command injection vulnerability in Net::FTP.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61248 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
webrick: compile RE correctly for beginning and end match
Using ^ and $ in regexps means we can accidentally get fooled
by "%0a" in HTTP request paths being decoded to newline
characters. Use \A and \z to match beginning and end-of-string
respectively, instead.
Thanks to mame and hsbt for reporting.
* lib/webrick/httpserver.rb (MountTable#compile):
use \A and \z instead of ^ and $
* lib/webrick/httpserver.rb (MountTable#normalize): use \z instead of $
* test/webrick/test_httpserver.rb (test_cntrl_in_path): new test
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61241 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
webrick: do not hang acceptor on slow TLS connections
OpenSSL::SSL::SSLSocket#accept may block indefinitely on clients
which negotiate the TCP connection, but fail (or are slow) to
negotiate the subsequent TLS handshake. This prevents the
multi-threaded WEBrick server from accepting other connections.
Since the TLS handshake (via OpenSSL::SSL::SSLSocket#accept)
consists of normal read/write traffic over TCP, handle it in the
per-client thread, instead.
Furthermore, using non-blocking accept() is useful for non-TLS
sockets anyways because spurious wakeups are possible from
select(2).
* lib/webrick/server.rb (accept_client): use TCPServer#accept_nonblock
and remove OpenSSL::SSL::SSLSocket#accept call
* lib/webrick/server.rb (start_thread): call OpenSSL::SSL::SSLSocket#accept
* test/webrick/test_ssl_server.rb (test_slow_connect): new test
[ruby-core:83221] [Bug #14005]
webrick: fix up r60172
By making the socket non-blocking in r60172, TLS/SSL negotiation
via the SSL_accept function must handle non-blocking sockets
properly and retry on SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
OpenSSL::SSL::SSLSocket#accept cannot do that properly with a
non-blocking socket, so it must use non-blocking logic of
OpenSSL::SSL::SSLSocket#accept_nonblock.
Thanks to MSP-Greg (Greg L) for finding this.
* lib/webrick/server.rb (start_thread): use SSL_accept properly
with non-blocking socket.
[Bug #14013] [Bug #14005]
webrick: fix up r60172 and revert r60189
Thanks to MSP-Greg (Greg L) for helping with this.
* lib/webrick/server.rb (start_thread): ignore ECONNRESET, ECONNABORTED,
EPROTO, and EINVAL on TLS negotiation errors the same way they
were ignored before r60172 in the accept_client method of the
main acceptor thread.
[Bug #14013] [Bug #14005]
webrick: fix up r60172 and r60208
Thanks to MSP-Greg (Greg L) for helping with this.
* lib/webrick/server.rb (start_thread): fix non-local return
introduced in r60208
webrick: fix up r60172 and r60210
Thanks to MSP-Greg (Greg L) for helping with this.
* lib/webrick/server.rb (start_thread): properly fix non-local return
introduced in r60208 and r60210
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61240 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Merge rubygems-2.6.14 changes.
It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@60946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
lib/webrick/log.rb: sanitize any type of logs
It had failed to sanitize some type of exception messages. Reported and
patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59900 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
A HTTP Header value must not contain CR or LF.
to_str -> to_s
* lib/net/http/header.rb (set_field): `val` can not have `to_str`.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
REXML: Fix a bug that unexpected methods can be called as a XPath function
[HackerOne:249295]
Reported by Andrea Jegher. Thanks!!!
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59796 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
2.5.2.1. [Backport #13842]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/net/smtp.rb (tlsconnect): support timeout for TLS handshake.
[ruby-core:76893] [Bug #12678]
* lib/net/protocol.rb (ssl_socket_connect): new method to implement
timeout for TLS handshake.
* lib/net/http.rb (connect): use Net::Protocol#ssl_socket_connect.
* test/net/smtp/test_smtp.rb (test_tls_connect, test_tls_connect):
use Socket.tcp_server_sockets in case localhost is resolved to ::1.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59533 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
optparse.rb: get rid of eval
* lib/optparse.rb: try Float() and Integer() instead of eval,
which does too much things.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59530 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
mkmf.rb: fix script installation
* lib/mkmf.rb (MakeMakefile): fix condition to install script
files.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59277 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
rexml: add close tag check on end of document to StreamParser
[ruby-core:81593] [Bug #13636]
Reported by Anton Sivakov. Thanks!!!
* properties.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59239 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
rss: Accept empty text element as valid element
Parser has been accepted it but XML serializer wasn't accepted.
Reported by stefano frabetti. Thanks!!!
[ruby-core:80965] [Bug #13531]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59236 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
CR or LF is included in a line, because they are not allowed in
RFC5321.
RFC5321. Thanks, Jeremy Daer.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59230 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
erb.rb: Allow explicit trimming carriage return
when trim_mode is "-", for Windows environments.
[ruby-core:39625] [Bug #5339]
erb.rb: Allow trimming CR in all trim_modes
to unify a behavior with r58823 and r58825.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59226 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
erb.rb: Allow trimming carriage return
when trim_mode is "<>", for Windows environments.
[Bug #11464]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59225 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
fileutils.rb: do not make root
* lib/fileutils.rb (FileUtils#mkdir_p): no need to make root
directory which should be exist and cannot be made with mkdir
recent Cygwin can make a directory contains a colon.
[Bug #13214]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58180 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
lib/ostruct.rb: Fix returned value of each_pair.
From a patch by Marcus Stollsteimer. [Fixes #13169]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58178 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ruby-lex.rb: fix for label
* lib/irb/ruby-lex.rb (identify_identifier): treat identifier just
followed by a colon as a lable. this is not a precise solution
but enough for the time being. [ruby-core:78526] [Bug #13012]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58170 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ostruct.rb: fix OpenStruct.allocate
* lib/ostruct.rb (OpenStruct.allocate): initialize an instance
variable directly, without calling `intialize` method which may
be overridden in a subclass. [ruby-core:80292] [Bug #13358]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58161 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Fix bug of Tempfile#size if nothing is written [Bug #13198]
* lib/tempfile.rb (Tempfile#size): Fix its behavior when nothing
is written. Tempfile#size should return 0 in this case.
The patch is from nobu <nobu@ruby-lang.org>.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58154 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/uri/mailto.rb: Removed needless `return` and use `.`` instead of `::`
with class method.
* test/uri/test_mailto.rb: Added tests for coverage.
Use URI.decode_www_form_component [Bug #10774]
`parser` refered RFC2396_Parser, but it is separated.
test is contributed by Dominik Menke
test_mailto.rb: adjust scope
test_mailto.rb: overwritten methods
* test/uri/test_mailto.rb (URI::TestMailTo#test_to_mailtext):
merge overwritten methods. [Bug #10774]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58147 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/forwardable.rb (def_instance_delegator): adjust backtrace of
method body by tail call optimization. adjusting the delegated
target is still done by deleting backtrace.
* lib/forwardable.rb (def_single_delegator): ditto.
* lib/forwardable.rb (Forwardable._delegator_method): extract
method generator and deal with non-module objects.
[ruby-dev:49656] [Bug #12478]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@57570 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/tempfile.rb (Tempfile#initialize): [DOC] the first parameter
`basename` is optional and defaulted to an empty string since
[GH-523]. [Fix GH-1225]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56858 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/net/http.rb (transport_request): other than HTTPContinue
in 1xx (HTTPInformation) also needs to continue. [Bug #12890]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56782 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/logger.rb (Logger::Period#next_rotate_time): fix monthly log
rotate when DST is applied during a month of 31 days.
[Fix GH-1458]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56438 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56369 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/uri/generic.rb (def check_password): don't include bad password
in URI exception output
* test/uri/test_generic.rb (def test_set_component): test for behavior
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56243 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/rubygems.rb, lib/rubygems/*, test/rubygems/*: Update rubygems-2.5.2.
It supports to enable frozen string literal and add `--norc` option for
disable to `.gemrc` configuration.
See 2.5.2 release notes for other fixes and enhancements.
https://github.com/rubygems/rubygems/blob/a8aa3bac723f045c52471c7b9328310a048561e0/History.txt#L3
* lib/rubygems/specification.rb: `coding` is affect only first line except
shebang.
* lib/rubygems/package.rb, lib/rubygems/package/*: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@56003 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/rexml/attribute.rb (REXML::Attribute#to_string): Fix wrong
entry reference name of double quote.
[Bug#12609][ruby-core:76509]
Patch by Joseph Marrero. Thanks!!!
[Bug #12609][ruby-core:76509]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55958 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/uri/mailto.rb (initialize): RFC3986_Parser#split sets opaque
only if the URI has path-rootless, not path-empty.
[ruby-core:76055] [Bug #12498]
patched by Chris Heisterkamp <cheister@squareup.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55916 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/net/http/generic_request.rb (write_header): A Request-Line must
not contain CR or LF.
* lib/net/http/generic_request.rb (write_header): A Request-Line must
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55912 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/net/ftp.rb (putline): raise an ArgumentError when
CR or LF is included in a line.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55911 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/drb/timeridconv.rb: don't use keeper thread. [Bug #12342]
* test/drb/ut_timerholder.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55867 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/httpservlet/cgihandler.rb (do_GET): delete HTTP_PROXY
* test/webrick/test_cgi.rb (test_cgi_env): new test
* test/webrick/webrick.cgi (do_GET): new endpoint to dump env
[ruby-core:76511] [Bug #12610]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55791 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/optparse.rb (OptionParser::Completion.candidate): get rid of
nil as key names. [ruby-core:75773] [Bug #12438]
* lib/optparse.rb (OptionParser#make_switch): char class option
cannot be NoArgument, default to RequiredArgument.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55459 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/mkmf.rb (pkg_config): use xsystem consistently to set up
library path environment variable as well as latter pkg-config
calls. [ruby-dev:49619] [Bug #12379]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55001 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/optparse.rb: [DOC] fix example code. base on the code by
Semyon Gaivoronskiy in [ruby-core:75224]. [Bug #12323]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54924 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/securerandom.rb (gen_random): to avoid blocking on Windows.
On Windows OpenSSL RAND_bytes (underlying implementation is
RAND_poll in crypto/rand/rand_win.c) may be blocked at
NetStatisticsGet.
https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues
Instead of this, use Random.raw_seed directory (whose implementation
CryptGenRandom is one of the source of
entropy of RAND_poll on Windows).
https://wiki.openssl.org/index.php/Random_Numbers
Note: CryptGenRandom function is PRNG and doesn't check its entropy,
so it won't block. [Bug #12139]
https://msdn.microsoft.com/ja-jp/library/windows/desktop/aa379942.aspx
https://tools.ietf.org/html/rfc4086#section-7.1.3
https://eprint.iacr.org/2007/419.pdf
http://www.cs.huji.ac.il/~dolev/pubs/thesis/msc-thesis-leo.pdf
Instead of this, use Random.raw_seed directly (whose implementation
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54713 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
fix commit miss
* test/test_forwardable.rb: add tests for r53381.
* lib/forwardable.rb: Convert given accessors to String.
r53381 changed to accept only Symbol or String for accessors, but
there are several rubygems that pass classes (e.g. Array,
Hash, ...) as accessors. Prior r53381, it was accepted because Class#to_s
returns its class name. After r53381 given accessors are checked
with define_method, but it accepts only Symbol or String, otherwise
raises TypeError.
def_delegator Foo, :some_method
This change is to revert unwanted incompatibility. But this behavior
may change in the future.
This change is to revert unexpected incompatibility. But this behavior
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54711 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/irb/ext/save-history.rb: Fix NoMethodError when method is not defined.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54597 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/forwardable.rb (def_instance_delegator) fix delegating to
'args' and 'block', clashing with local variables in generated
methods. [ruby-core:72579] [Bug #11916]
* lib/forwardable.rb (def_single_delegator): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54595 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/irb/ext/save-history.rb: suppress warning: method redefined;
discarding old save_history=.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54592 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* configure.in: improve ICC (Intel C Compiler) support.
* configure.in (CXX): The name of icc's c++ compiler is `icpc`.
* configure.in (warnings): Add `-diag-disable=2259` to suppress
noisy warnings: "non-pointer conversion from "..." to "..." may
lose significant bits".
* configure.in (optflags): Add `-fp-model precise` like -fno-fast-math.
* lib/mkmf.rb: icc supports -Werror=division-by-zero
and -Werror=deprecated-declarations, but doesn't support
-Wdivision-by-zero and -Wdeprecated-declarations.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54552 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/uri/http.rb (URI::HTTP#initialize): [DOC] fix example,
missing mandatory arguments. [ruby-core:74540] [Bug #12215]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54550 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/rubygems/security.rb (DIGEST_ALGORITHM, KEY_ALGORITHM):
should check same name as the used constants.
[ruby-core:72674] [Bug #11940]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54491 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/rubygems/test_case.rb: Fix test on Windows for inconsistent temp path.
https://github.com/rubygems/rubygems/pull/1554
[Bug #12193][ruby-core:74431]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54417 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/resolv.rb (Resolv::IPv6.create): avoid modifying frozen
* test/resolv/test_dns.rb (test_ipv6_create): test for above
[Bug #11910] [ruby-core:72559]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54404 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/ostruct.rb: Fix new_ostruct_member to correctly avoid
redefinition [#11901]
* lib/ostruct.rb (freeze): define deferred accessors before
freezing to get rid of an error when just reading frozen
OpenStruct.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54388 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/ostruct.rb (OpenStruct): make respond_to? working on
just-allocated objects for workaround of Psych.
[ruby-core:72501] [Bug #11884]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@54387 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|