From 1eb503373e808b9cd2e1dbff5ec72d151a74d981 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Wed, 25 Sep 2019 21:34:55 +0900
Subject: [rubygems/rubygems] filter dependency type and name strictly.

Co-authored-by: Yusuke Endoh <mame@ruby-lang.org>

https://github.com/rubygems/rubygems/commit/92892bbc3a
---
 lib/rubygems/installer.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'lib/rubygems')

diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb
index 898f6e46a1..0ffddc52fc 100644
--- a/lib/rubygems/installer.rb
+++ b/lib/rubygems/installer.rb
@@ -754,7 +754,11 @@ class Gem::Installer
       raise Gem::InstallError, "#{spec} has an invalid specification_version"
     end
 
-    if spec.dependencies.any? {|dep| dep.type =~ /\R/ || dep.name =~ /\R/ }
+    if spec.dependencies.any? {|dep| dep.type != :runtime && dep.type != :development }
+      raise Gem::InstallError, "#{spec} has an invalid dependencies"
+    end
+
+    if spec.dependencies.any? {|dep| dep.name =~ /(?:\R|[<>])/ }
       raise Gem::InstallError, "#{spec} has an invalid dependencies"
     end
   end
-- 
cgit v1.2.3