From 9ad02399920e67053063b122f10e9973c50d6ed8 Mon Sep 17 00:00:00 2001 From: usa Date: Thu, 30 Nov 2017 14:29:32 +0000 Subject: merge revision(s) 60149: [Backport #14003] Merge rubygems-2.6.14 changes. It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@60946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 6 ++++++ lib/rubygems.rb | 5 +++-- lib/rubygems/config_file.rb | 2 +- lib/rubygems/package.rb | 2 +- lib/rubygems/package/old.rb | 2 +- lib/rubygems/safe_yaml.rb | 48 +++++++++++++++++++++++++++++++++++++++++++ lib/rubygems/specification.rb | 2 +- version.h | 8 ++++---- 8 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 lib/rubygems/safe_yaml.rb diff --git a/ChangeLog b/ChangeLog index 2d1f21f197..b5822344fb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Thu Nov 30 23:29:00 2017 SHIBATA Hiroshi + + Merge rubygems-2.6.14 changes. + + It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html + Fri Sep 15 05:40:40 2017 URABE Shyouhei fix --with-gmp (broken by r57490) diff --git a/lib/rubygems.rb b/lib/rubygems.rb index 9c0219ce06..fd4075a632 100644 --- a/lib/rubygems.rb +++ b/lib/rubygems.rb @@ -10,7 +10,7 @@ require 'rbconfig' require 'thread' module Gem - VERSION = '2.5.2.1' + VERSION = '2.5.2.2' end # Must be first since it unloads the prelude from 1.9.2 @@ -602,7 +602,7 @@ module Gem unless test_syck begin - gem 'psych', '>= 1.2.1' + gem 'psych', '>= 2.0.0' rescue Gem::LoadError # It's OK if the user does not have the psych gem installed. We will # attempt to require the stdlib version @@ -626,6 +626,7 @@ module Gem end require 'yaml' + require 'rubygems/safe_yaml' # If we're supposed to be using syck, then we may have to force # activate it via the YAML::ENGINE API. diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb index de90cbfd65..2bcd830f38 100644 --- a/lib/rubygems/config_file.rb +++ b/lib/rubygems/config_file.rb @@ -332,7 +332,7 @@ if you believe they were disclosed to a third party. return {} unless filename and File.exist? filename begin - content = YAML.load(File.read(filename)) + content = Gem::SafeYAML.load(File.read(filename)) unless content.kind_of? Hash warn "Failed to load #{filename} because it doesn't contain valid YAML hash" return {} diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb index 0d9adba26e..ab49ea2d2c 100644 --- a/lib/rubygems/package.rb +++ b/lib/rubygems/package.rb @@ -466,7 +466,7 @@ EOM @checksums = gem.seek 'checksums.yaml.gz' do |entry| Zlib::GzipReader.wrap entry do |gz_io| - YAML.load gz_io.read + Gem::SafeYAML.safe_load gz_io.read end end end diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb index 5e722baa35..071f7141ab 100644 --- a/lib/rubygems/package/old.rb +++ b/lib/rubygems/package/old.rb @@ -101,7 +101,7 @@ class Gem::Package::Old < Gem::Package header << line end - YAML.load header + Gem::SafeYAML.safe_load header end ## diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb new file mode 100644 index 0000000000..b98cfaa5e6 --- /dev/null +++ b/lib/rubygems/safe_yaml.rb @@ -0,0 +1,48 @@ +module Gem + + ### + # This module is used for safely loading YAML specs from a gem. The + # `safe_load` method defined on this module is specifically designed for + # loading Gem specifications. For loading other YAML safely, please see + # Psych.safe_load + + module SafeYAML + WHITELISTED_CLASSES = %w( + Symbol + Time + Date + Gem::Dependency + Gem::Platform + Gem::Requirement + Gem::Specification + Gem::Version + Gem::Version::Requirement + YAML::Syck::DefaultKey + Syck::DefaultKey + ) + + WHITELISTED_SYMBOLS = %w( + development + runtime + ) + + if ::YAML.respond_to? :safe_load + def self.safe_load input + ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) + end + + def self.load input + ::YAML.safe_load(input, [::Symbol]) + end + else + warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." + def self.safe_load input, *args + ::YAML.load input + end + + def self.load input + ::YAML.load input + end + end + end +end diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb index dd4fde1776..de324d76d9 100644 --- a/lib/rubygems/specification.rb +++ b/lib/rubygems/specification.rb @@ -1101,7 +1101,7 @@ class Gem::Specification < Gem::BasicSpecification Gem.load_yaml input = normalize_yaml_input input - spec = YAML.load input + spec = Gem::SafeYAML.safe_load input if spec && spec.class == FalseClass then raise Gem::EndOfYAMLException diff --git a/version.h b/version.h index cd95e5482c..26b69494e8 100644 --- a/version.h +++ b/version.h @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.3.6" -#define RUBY_RELEASE_DATE "2017-09-15" -#define RUBY_PATCHLEVEL 378 +#define RUBY_RELEASE_DATE "2017-11-30" +#define RUBY_PATCHLEVEL 379 #define RUBY_RELEASE_YEAR 2017 -#define RUBY_RELEASE_MONTH 9 -#define RUBY_RELEASE_DAY 15 +#define RUBY_RELEASE_MONTH 11 +#define RUBY_RELEASE_DAY 30 #include "ruby/version.h" -- cgit v1.2.3