Bug #14481 » rubygems-276-for-ruby24.patch
lib/rubygems.rb | ||
---|---|---|
require 'thread'
|
||
module Gem
|
||
VERSION = "2.6.14"
|
||
VERSION = "2.6.14.1"
|
||
end
|
||
# Must be first since it unloads the prelude from 1.9.2
|
lib/rubygems/commands/owner_command.rb | ||
---|---|---|
end
|
||
with_response response do |resp|
|
||
owners = YAML.load resp.body
|
||
owners = Gem::SafeYAML.load resp.body
|
||
say "Owners for gem: #{name}"
|
||
owners.each do |owner|
|
lib/rubygems/package.rb | ||
---|---|---|
File.dirname destination
|
||
end
|
||
FileUtils.mkdir_p mkdir, mkdir_options
|
||
mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name
|
||
open destination, 'wb' do |out|
|
||
out.write entry.read
|
||
... | ... | |
raise Gem::Package::PathError.new(filename, destination_dir) if
|
||
filename.start_with? '/'
|
||
destination_dir = File.realpath destination_dir if
|
||
File.respond_to? :realpath
|
||
destination_dir = realpath destination_dir
|
||
destination_dir = File.expand_path destination_dir
|
||
destination = File.join destination_dir, filename
|
||
destination = File.expand_path destination
|
||
raise Gem::Package::PathError.new(destination, destination_dir) unless
|
||
destination.start_with? destination_dir
|
||
destination.start_with? destination_dir + '/'
|
||
destination.untaint
|
||
destination
|
||
end
|
||
def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name
|
||
destination_dir = realpath File.expand_path(destination_dir)
|
||
parts = mkdir.split(File::SEPARATOR)
|
||
parts.reduce do |path, basename|
|
||
path = realpath path unless path == ""
|
||
path = File.expand_path(path + File::SEPARATOR + basename)
|
||
lstat = File.lstat path rescue nil
|
||
if !lstat || !lstat.directory?
|
||
unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false)
|
||
raise Gem::Package::PathError.new(file_name, destination_dir)
|
||
end
|
||
end
|
||
path
|
||
end
|
||
end
|
||
##
|
||
# Loads a Gem::Specification from the TarEntry +entry+
|
||
... | ... | |
raise Gem::Package::FormatError.new \
|
||
'package content (data.tar.gz) is missing', @gem
|
||
end
|
||
if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
|
||
raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
|
||
end
|
||
end
|
||
##
|
||
... | ... | |
raise Gem::Package::FormatError.new(e.message, entry.full_name)
|
||
end
|
||
if File.respond_to? :realpath
|
||
def realpath file
|
||
File.realpath file
|
||
end
|
||
else
|
||
def realpath file
|
||
file
|
||
end
|
||
end
|
||
end
|
||
require 'rubygems/package/digest_io'
|
lib/rubygems/package/tar_header.rb | ||
---|---|---|
fields = header.unpack UNPACK_FORMAT
|
||
new :name => fields.shift,
|
||
:mode => fields.shift.oct,
|
||
:uid => fields.shift.oct,
|
||
:gid => fields.shift.oct,
|
||
:size => fields.shift.oct,
|
||
:mtime => fields.shift.oct,
|
||
:checksum => fields.shift.oct,
|
||
:mode => strict_oct(fields.shift),
|
||
:uid => strict_oct(fields.shift),
|
||
:gid => strict_oct(fields.shift),
|
||
:size => strict_oct(fields.shift),
|
||
:mtime => strict_oct(fields.shift),
|
||
:checksum => strict_oct(fields.shift),
|
||
:typeflag => fields.shift,
|
||
:linkname => fields.shift,
|
||
:magic => fields.shift,
|
||
:version => fields.shift.oct,
|
||
:version => strict_oct(fields.shift),
|
||
:uname => fields.shift,
|
||
:gname => fields.shift,
|
||
:devmajor => fields.shift.oct,
|
||
:devminor => fields.shift.oct,
|
||
:devmajor => strict_oct(fields.shift),
|
||
:devminor => strict_oct(fields.shift),
|
||
:prefix => fields.shift,
|
||
:empty => empty
|
||
end
|
||
def self.strict_oct(str)
|
||
return str.oct if str =~ /\A[0-7]*\z/
|
||
raise ArgumentError, "#{str.inspect} is not an octal string"
|
||
end
|
||
##
|
||
# Creates a new TarHeader using +vals+
|
||
lib/rubygems/package/tar_writer.rb | ||
---|---|---|
digest_name == signer.digest_name
|
||
end
|
||
raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest
|
||
if signer.key then
|
||
signature = signer.sign signature_digest.digest
|
||
lib/rubygems/server.rb | ||
---|---|---|
executables = nil if executables.empty?
|
||
executables.last["is_last"] = true if executables
|
||
# Pre-process spec homepage for safety reasons
|
||
begin
|
||
homepage_uri = URI.parse(spec.homepage)
|
||
if [URI::HTTP, URI::HTTPS].member? homepage_uri.class
|
||
homepage_uri = spec.homepage
|
||
else
|
||
homepage_uri = "."
|
||
end
|
||
rescue URI::InvalidURIError
|
||
homepage_uri = "."
|
||
end
|
||
specs << {
|
||
"authors" => spec.authors.sort.join(", "),
|
||
"date" => spec.date.to_s,
|
||
... | ... | |
"only_one_executable" => (executables && executables.size == 1),
|
||
"full_name" => spec.full_name,
|
||
"has_deps" => !deps.empty?,
|
||
"homepage" => spec.homepage,
|
||
"homepage" => homepage_uri,
|
||
"name" => spec.name,
|
||
"rdoc_installed" => Gem::RDoc.new(spec).rdoc_installed?,
|
||
"ri_installed" => Gem::RDoc.new(spec).ri_installed?,
|
lib/rubygems/specification.rb | ||
---|---|---|
require 'rubygems/stub_specification'
|
||
require 'rubygems/util/list'
|
||
require 'stringio'
|
||
require 'uri'
|
||
##
|
||
# The Specification class contains the information for a Gem. Typically
|
||
... | ... | |
raise Gem::InvalidSpecificationException, "#{lazy} is not a summary"
|
||
end
|
||
if homepage and not homepage.empty? and
|
||
homepage !~ /\A[a-z][a-z\d+.-]*:/i then
|
||
raise Gem::InvalidSpecificationException,
|
||
"\"#{homepage}\" is not a URI"
|
||
# Make sure a homepage is valid HTTP/HTTPS URI
|
||
if homepage and not homepage.empty?
|
||
begin
|
||
homepage_uri = URI.parse(homepage)
|
||
unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
|
||
raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
|
||
end
|
||
rescue URI::InvalidURIError
|
||
raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
|
||
end
|
||
end
|
||
# Warnings
|
test/rubygems/test_gem_commands_owner_command.rb | ||
---|---|---|
assert_match %r{- 4}, @ui.output
|
||
end
|
||
def test_show_owners_dont_load_objects
|
||
skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
|
||
response = <<EOF
|
||
---
|
||
- email: !ruby/object:Object {}
|
||
id: 1
|
||
handle: user1
|
||
- email: user2@example.com
|
||
- id: 3
|
||
handle: user3
|
||
- id: 4
|
||
EOF
|
||
@fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
|
||
assert_raises Psych::DisallowedClass do
|
||
use_ui @ui do
|
||
@cmd.show_owners("freewill")
|
||
end
|
||
end
|
||
end
|
||
def test_show_owners_setting_up_host_through_env_var
|
||
response = "- email: user1@example.com\n"
|
||
host = "http://rubygems.example"
|
test/rubygems/test_gem_package.rb | ||
---|---|---|
File.read(extracted)
|
||
end
|
||
def test_extract_symlink_parent
|
||
skip 'symlink not supported' if Gem.win_platform?
|
||
package = Gem::Package.new @gem
|
||
tgz_io = util_tar_gz do |tar|
|
||
tar.mkdir 'lib', 0755
|
||
tar.add_symlink 'lib/link', '../..', 0644
|
||
tar.add_file 'lib/link/outside.txt', 0644 do |io| io.write 'hi' end
|
||
end
|
||
# Extract into a subdirectory of @destination; if this test fails it writes
|
||
# a file outside destination_subdir, but we want the file to remain inside
|
||
# @destination so it will be cleaned up.
|
||
destination_subdir = File.join @destination, 'subdir'
|
||
FileUtils.mkdir_p destination_subdir
|
||
e = assert_raises Gem::Package::PathError do
|
||
package.extract_tar_gz tgz_io, destination_subdir
|
||
end
|
||
assert_equal("installing into parent path lib/link/outside.txt of " +
|
||
"#{destination_subdir} is not allowed", e.message)
|
||
end
|
||
def test_extract_tar_gz_directory
|
||
package = Gem::Package.new @gem
|
||
... | ... | |
"#{@destination} is not allowed", e.message)
|
||
end
|
||
def test_install_location_suffix
|
||
package = Gem::Package.new @gem
|
||
filename = "../#{File.basename(@destination)}suffix.rb"
|
||
e = assert_raises Gem::Package::PathError do
|
||
package.install_location filename, @destination
|
||
end
|
||
parent = File.expand_path File.join @destination, filename
|
||
assert_equal("installing into parent path #{parent} of " +
|
||
"#{@destination} is not allowed", e.message)
|
||
end
|
||
def test_load_spec
|
||
entry = StringIO.new Gem.gzip @spec.to_yaml
|
||
def entry.full_name() 'metadata.gz' end
|
||
... | ... | |
assert_match %r%nonexistent.gem$%, e.message
|
||
end
|
||
def test_verify_duplicate_file
|
||
FileUtils.mkdir_p 'lib'
|
||
FileUtils.touch 'lib/code.rb'
|
||
build = Gem::Package.new @gem
|
||
build.spec = @spec
|
||
build.setup_signer
|
||
open @gem, 'wb' do |gem_io|
|
||
Gem::Package::TarWriter.new gem_io do |gem|
|
||
build.add_metadata gem
|
||
build.add_contents gem
|
||
gem.add_file_simple 'a.sig', 0444, 0
|
||
gem.add_file_simple 'a.sig', 0444, 0
|
||
end
|
||
end
|
||
package = Gem::Package.new @gem
|
||
e = assert_raises Gem::Security::Exception do
|
||
package.verify
|
||
end
|
||
assert_equal 'duplicate files in the package: ("a.sig")', e.message
|
||
end
|
||
def test_verify_security_policy
|
||
skip 'openssl is missing' unless defined?(OpenSSL::SSL)
|
||
... | ... | |
# write bogus data.tar.gz to foil signature
|
||
bogus_data = Gem.gzip 'hello'
|
||
gem.add_file_simple 'data.tar.gz', 0444, bogus_data.length do |io|
|
||
fake_signer = Class.new do
|
||
def digest_name; 'SHA512'; end
|
||
def digest_algorithm; Digest(:SHA512); end
|
||
def key; 'key'; end
|
||
def sign(*); 'fake_sig'; end
|
||
end
|
||
gem.add_file_signed 'data2.tar.gz', 0444, fake_signer.new do |io|
|
||
io.write bogus_data
|
||
end
|
||
test/rubygems/test_gem_package_tar_header.rb | ||
---|---|---|
assert_equal '012467', @tar_header.checksum
|
||
end
|
||
def test_from_bad_octal
|
||
test_cases = [
|
||
"00000006,44\000", # bogus character
|
||
"00000006789\000", # non-octal digit
|
||
"+0000001234\000", # positive sign
|
||
"-0000001000\000", # negative sign
|
||
"0x000123abc\000", # radix prefix
|
||
]
|
||
test_cases.each do |val|
|
||
header_s = @tar_header.to_s
|
||
# overwrite the size field
|
||
header_s[124, 12] = val
|
||
io = TempIO.new header_s
|
||
assert_raises ArgumentError do
|
||
new_header = Gem::Package::TarHeader.from io
|
||
end
|
||
io.close! if io.respond_to? :close!
|
||
end
|
||
end
|
||
end
|
||
test/rubygems/test_gem_server.rb | ||
---|---|---|
assert_match 'z 9', @res.body
|
||
end
|
||
def test_xss_homepage_fix_289313
|
||
data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
|
||
dir = "#{@gemhome}2"
|
||
spec = util_spec 'xsshomepagegem', 1
|
||
spec.homepage = "javascript:confirm(document.domain)"
|
||
specs_dir = File.join dir, 'specifications'
|
||
FileUtils.mkdir_p specs_dir
|
||
open File.join(specs_dir, spec.spec_name), 'w' do |io|
|
||
io.write spec.to_ruby
|
||
end
|
||
server = Gem::Server.new dir, process_based_port, false
|
||
@req.parse data
|
||
server.root @req, @res
|
||
assert_equal 200, @res.status
|
||
assert_match 'xsshomepagegem 1', @res.body
|
||
# This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a
|
||
# valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here,
|
||
# but spec.homepage is currently free form and not currently required to be a URL, this behavior may be
|
||
# validated in future versions of Gem::Specification.
|
||
#
|
||
# There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
|
||
#
|
||
# Variant #1 - rdoc not installed
|
||
#
|
||
# <b>xsshomepagegem 1</b>
|
||
#
|
||
#
|
||
# <span title="rdoc not installed">[rdoc]</span>
|
||
#
|
||
#
|
||
#
|
||
# <a href="." title=".">[www]</a>
|
||
#
|
||
# Variant #2 - rdoc installed
|
||
#
|
||
# <b>xsshomepagegem 1</b>
|
||
#
|
||
#
|
||
# <a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>
|
||
#
|
||
#
|
||
#
|
||
# <a href="." title=".">[www]</a>
|
||
regex_match = /xsshomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
|
||
assert_match regex_match, @res.body
|
||
end
|
||
def test_invalid_homepage
|
||
data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
|
||
dir = "#{@gemhome}2"
|
||
spec = util_spec 'invalidhomepagegem', 1
|
||
spec.homepage = "notavalidhomepageurl"
|
||
specs_dir = File.join dir, 'specifications'
|
||
FileUtils.mkdir_p specs_dir
|
||
open File.join(specs_dir, spec.spec_name), 'w' do |io|
|
||
io.write spec.to_ruby
|
||
end
|
||
server = Gem::Server.new dir, process_based_port, false
|
||
@req.parse data
|
||
server.root @req, @res
|
||
assert_equal 200, @res.status
|
||
assert_match 'invalidhomepagegem 1', @res.body
|
||
# This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a
|
||
# valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here,
|
||
# but spec.homepage is currently free form and not currently required to be a URL, this behavior may be
|
||
# validated in future versions of Gem::Specification.
|
||
#
|
||
# There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
|
||
#
|
||
# Variant #1 - rdoc not installed
|
||
#
|
||
# <b>invalidhomepagegem 1</b>
|
||
#
|
||
#
|
||
# <span title="rdoc not installed">[rdoc]</span>
|
||
#
|
||
#
|
||
#
|
||
# <a href="." title=".">[www]</a>
|
||
#
|
||
# Variant #2 - rdoc installed
|
||
#
|
||
# <b>invalidhomepagegem 1</b>
|
||
#
|
||
#
|
||
# <a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>
|
||
#
|
||
#
|
||
#
|
||
# <a href="." title=".">[www]</a>
|
||
regex_match = /invalidhomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
|
||
assert_match regex_match, @res.body
|
||
end
|
||
def test_valid_homepage_http
|
||
data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
|
||
dir = "#{@gemhome}2"
|
||
spec = util_spec 'validhomepagegemhttp', 1
|
||
spec.homepage = "http://rubygems.org"
|
||
specs_dir = File.join dir, 'specifications'
|
||
FileUtils.mkdir_p specs_dir
|
||
open File.join(specs_dir, spec.spec_name), 'w' do |io|
|
||
io.write spec.to_ruby
|
||
end
|
||
server = Gem::Server.new dir, process_based_port, false
|
||
@req.parse data
|
||
server.root @req, @res
|
||
assert_equal 200, @res.status
|
||
assert_match 'validhomepagegemhttp 1', @res.body
|
||
regex_match = /validhomepagegemhttp 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttp-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="http:\/\/rubygems\.org" title="http:\/\/rubygems\.org">\[www\]<\/a>/
|
||
assert_match regex_match, @res.body
|
||
end
|
||
def test_valid_homepage_https
|
||
data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
|
||
dir = "#{@gemhome}2"
|
||
spec = util_spec 'validhomepagegemhttps', 1
|
||
spec.homepage = "https://rubygems.org"
|
||
specs_dir = File.join dir, 'specifications'
|
||
FileUtils.mkdir_p specs_dir
|
||
open File.join(specs_dir, spec.spec_name), 'w' do |io|
|
||
io.write spec.to_ruby
|
||
end
|
||
server = Gem::Server.new dir, process_based_port, false
|
||
@req.parse data
|
||
server.root @req, @res
|
||
assert_equal 200, @res.status
|
||
assert_match 'validhomepagegemhttps 1', @res.body
|
||
regex_match = /validhomepagegemhttps 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttps-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="https:\/\/rubygems\.org" title="https:\/\/rubygems\.org">\[www\]<\/a>/
|
||
assert_match regex_match, @res.body
|
||
end
|
||
def test_specs
|
||
data = StringIO.new "GET /specs.#{Gem.marshal_version} HTTP/1.0\r\n\r\n"
|
||
@req.parse data
|
test/rubygems/test_gem_specification.rb | ||
---|---|---|
@a1.validate
|
||
end
|
||
assert_equal '"over at my cool site" is not a URI', e.message
|
||
assert_equal '"over at my cool site" is not a valid HTTP URI', e.message
|
||
@a1.homepage = 'ftp://rubygems.org'
|
||
e = assert_raises Gem::InvalidSpecificationException do
|
||
@a1.validate
|
||
end
|
||
assert_equal '"ftp://rubygems.org" is not a valid HTTP URI', e.message
|
||
@a1.homepage = 'http://rubygems.org'
|
||
assert_equal true, @a1.validate
|
||
@a1.homepage = 'https://rubygems.org'
|
||
assert_equal true, @a1.validate
|
||
end
|
||
end
|
||