From 08f8cfe14e0f8937e3bcf8a22becdc5ce60b920e Mon Sep 17 00:00:00 2001
From: hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Tue, 5 Mar 2019 03:32:58 +0000
Subject: Merge RubyGems upstream: 56c0bbb69e4506bda7ef7f447dfec5db820df20b

  It fixed the multiple vulnerabilities.
  https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/rubygems/package.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'lib/rubygems/package.rb')

diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
index 278ada8514..16cf0c173a 100644
--- a/lib/rubygems/package.rb
+++ b/lib/rubygems/package.rb
@@ -459,6 +459,16 @@ EOM
     raise Gem::Package::PathError.new(destination, destination_dir) unless
       destination.start_with? destination_dir + '/'
 
+    begin
+      real_destination = File.expand_path(File.realpath(destination))
+    rescue
+      # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
+      nil
+    else
+      raise Gem::Package::PathError.new(real_destination, destination_dir) unless
+        real_destination.start_with? destination_dir + '/'
+    end
+
     destination.untaint
     destination
   end
-- 
cgit v1.2.3