Project

General

Profile

Bug #15637 ยป ruby-2.5.3-rubygems-v2.patch

hsbt (Hiroshi SHIBATA), 03/06/2019 05:03 AM

View differences:

lib/rubygems.rb
10 10
require 'thread'
11 11

  
12 12
module Gem
13
  VERSION = "2.7.6"
13
  VERSION = "2.7.6.1"
14 14
end
15 15

  
16 16
# Must be first since it unloads the prelude from 1.9.2
lib/rubygems/command_manager.rb
7 7

  
8 8
require 'rubygems/command'
9 9
require 'rubygems/user_interaction'
10
require 'rubygems/text'
10 11

  
11 12
##
12 13
# The command manager registers and installs all the individual sub-commands
......
32 33

  
33 34
class Gem::CommandManager
34 35

  
36
  include Gem::Text
35 37
  include Gem::UserInteraction
36 38

  
37 39
  BUILTIN_COMMANDS = [ # :nodoc:
......
140 142
  def run(args, build_args=nil)
141 143
    process_args(args, build_args)
142 144
  rescue StandardError, Timeout::Error => ex
143
    alert_error "While executing gem ... (#{ex.class})\n    #{ex}"
145
    alert_error clean_text("While executing gem ... (#{ex.class})\n    #{ex}")
144 146
    ui.backtrace ex
145 147

  
146 148
    terminate_interaction(1)
147 149
  rescue Interrupt
148
    alert_error "Interrupted"
150
    alert_error clean_text("Interrupted")
149 151
    terminate_interaction(1)
150 152
  end
151 153

  
......
163 165
      say Gem::VERSION
164 166
      terminate_interaction 0
165 167
    when /^-/ then
166
      alert_error "Invalid option: #{args.first}. See 'gem --help'."
168
      alert_error clean_text("Invalid option: #{args.first}. See 'gem --help'.")
167 169
      terminate_interaction 1
168 170
    else
169 171
      cmd_name = args.shift.downcase
......
212 214
    rescue Exception => e
213 215
      e = load_error if load_error
214 216

  
215
      alert_error "Loading command: #{command_name} (#{e.class})\n\t#{e}"
217
      alert_error clean_text("Loading command: #{command_name} (#{e.class})\n\t#{e}")
216 218
      ui.backtrace e
217 219
    end
218 220
  end
lib/rubygems/commands/owner_command.rb
2 2
require 'rubygems/command'
3 3
require 'rubygems/local_remote_options'
4 4
require 'rubygems/gemcutter_utilities'
5
require 'rubygems/text'
5 6

  
6 7
class Gem::Commands::OwnerCommand < Gem::Command
8

  
9
  include Gem::Text
7 10
  include Gem::LocalRemoteOptions
8 11
  include Gem::GemcutterUtilities
9 12

  
......
64 67
    end
65 68

  
66 69
    with_response response do |resp|
67
      owners = Gem::SafeYAML.load resp.body
70
      owners = Gem::SafeYAML.load clean_text(resp.body)
68 71

  
69 72
      say "Owners for gem: #{name}"
70 73
      owners.each do |owner|
lib/rubygems/gemcutter_utilities.rb
1 1
# frozen_string_literal: true
2 2
require 'rubygems/remote_fetcher'
3
require 'rubygems/text'
3 4

  
4 5
##
5 6
# Utility methods for using the RubyGems API.
6 7

  
7 8
module Gem::GemcutterUtilities
8 9

  
10
  include Gem::Text
11

  
9 12
  # TODO: move to Gem::Command
10 13
  OptionParser.accept Symbol do |value|
11 14
    value.to_sym
......
145 148
      if block_given? then
146 149
        yield response
147 150
      else
148
        say response.body
151
        say clean_text(response.body)
149 152
      end
150 153
    else
151 154
      message = response.body
152 155
      message = "#{error_prefix}: #{message}" if error_prefix
153 156

  
154
      say message
157
      say clean_text(message)
155 158
      terminate_interaction 1 # TODO: question this
156 159
    end
157 160
  end
lib/rubygems/installer.rb
707 707
      unpack or File.writable?(gem_home)
708 708
  end
709 709

  
710
  def verify_spec_name
711
    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
712
    raise Gem::InstallError, "#{spec} has an invalid name"
710
  def verify_spec
711
    unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN
712
      raise Gem::InstallError, "#{spec} has an invalid name"
713
    end
714

  
715
    if spec.raw_require_paths.any?{|path| path =~ /\r\n|\r|\n/ }
716
      raise Gem::InstallError, "#{spec} has an invalid require_paths"
717
    end
718

  
719
    if spec.extensions.any?{|ext| ext =~ /\r\n|\r|\n/ }
720
      raise Gem::InstallError, "#{spec} has an invalid extensions"
721
    end
722

  
723
    unless spec.specification_version.to_s =~ /\A\d+\z/
724
      raise Gem::InstallError, "#{spec} has an invalid specification_version"
725
    end
726

  
727
    if spec.dependencies.any? {|dep| dep.type =~ /\r\n|\r|\n/ || dep.name =~ /\r\n|\r|\n/ }
728
      raise Gem::InstallError, "#{spec} has an invalid dependencies"
729
    end
713 730
  end
714 731

  
715 732
  ##
......
836 853
  def pre_install_checks
837 854
    verify_gem_home options[:unpack]
838 855

  
856
    # The name and require_paths must be verified first, since it could contain
857
    # ruby code that would be eval'ed in #ensure_loadable_spec
858
    verify_spec
859

  
839 860
    ensure_loadable_spec
840 861

  
841
    verify_spec_name
842

  
843 862
    if options[:install_as_default]
844 863
      Gem.ensure_default_gem_subdirectories gem_home
845 864
    else
lib/rubygems/package.rb
425 425
    raise Gem::Package::PathError.new(destination, destination_dir) unless
426 426
      destination.start_with? destination_dir + '/'
427 427

  
428
    begin
429
      real_destination = File.expand_path(File.realpath(destination))
430
    rescue
431
      # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
432
      nil
433
    else
434
      raise Gem::Package::PathError.new(real_destination, destination_dir) unless
435
        real_destination.start_with? destination_dir + '/'
436
    end
437

  
428 438
    destination.untaint
429 439
    destination
430 440
  end
lib/rubygems/user_interaction.rb
6 6
#++
7 7

  
8 8
require 'rubygems/util'
9
require 'rubygems/text'
9 10

  
10 11
##
11 12
# Module that defines the default UserInteraction.  Any class including this
......
13 14

  
14 15
module Gem::DefaultUserInteraction
15 16

  
17
  include Gem::Text
18

  
16 19
  ##
17 20
  # The default UI is a class variable of the singleton class for this
18 21
  # module.
......
160 163
  # Calls +say+ with +msg+ or the results of the block if really_verbose
161 164
  # is true.
162 165

  
163
  def verbose msg = nil
164
    say(msg || yield) if Gem.configuration.really_verbose
166
  def verbose(msg = nil)
167
    say(clean_text(msg || yield)) if Gem.configuration.really_verbose
165 168
  end
166 169
end
167 170

  
test/rubygems/test_gem_installer.rb
1474 1474
    end
1475 1475
  end
1476 1476

  
1477
  def test_pre_install_checks_malicious_name_before_eval
1478
    spec = util_spec "malicious\n::Object.const_set(:FROM_EVAL, true)#", '1'
1479
    def spec.full_name # so the spec is buildable
1480
      "malicious-1"
1481
    end
1482
    def spec.validate(*args); end
1483

  
1484
    util_build_gem spec
1485

  
1486
    gem = File.join(@gemhome, 'cache', spec.file_name)
1487

  
1488
    use_ui @ui do
1489
      @installer = Gem::Installer.at gem
1490
      e = assert_raises Gem::InstallError do
1491
        @installer.pre_install_checks
1492
      end
1493
      assert_equal "#<Gem::Specification name=malicious\n::Object.const_set(:FROM_EVAL, true)# version=1> has an invalid name", e.message
1494
    end
1495
    refute defined?(::Object::FROM_EVAL)
1496
  end
1497

  
1498
  def test_pre_install_checks_malicious_require_paths_before_eval
1499
    spec = util_spec "malicious", '1'
1500
    def spec.full_name # so the spec is buildable
1501
      "malicious-1"
1502
    end
1503
    def spec.validate(*args); end
1504
    spec.require_paths = ["malicious\n``"]
1505

  
1506
    util_build_gem spec
1507

  
1508
    gem = File.join(@gemhome, 'cache', spec.file_name)
1509

  
1510
    use_ui @ui do
1511
      @installer = Gem::Installer.at gem
1512
      e = assert_raises Gem::InstallError do
1513
        @installer.pre_install_checks
1514
      end
1515
      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid require_paths", e.message
1516
    end
1517
  end
1518

  
1519
  def test_pre_install_checks_malicious_extensions_before_eval
1520
    skip "mswin environment disallow to create file contained the carriage return code." if Gem.win_platform?
1521

  
1522
    spec = util_spec "malicious", '1'
1523
    def spec.full_name # so the spec is buildable
1524
      "malicious-1"
1525
    end
1526
    def spec.validate(*args); end
1527
    spec.extensions = ["malicious\n``"]
1528

  
1529
    util_build_gem spec
1530

  
1531
    gem = File.join(@gemhome, 'cache', spec.file_name)
1532

  
1533
    use_ui @ui do
1534
      @installer = Gem::Installer.at gem
1535
      e = assert_raises Gem::InstallError do
1536
        @installer.pre_install_checks
1537
      end
1538
      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid extensions", e.message
1539
    end
1540
  end
1541

  
1542
  def test_pre_install_checks_malicious_specification_version_before_eval
1543
    spec = util_spec "malicious", '1'
1544
    def spec.full_name # so the spec is buildable
1545
      "malicious-1"
1546
    end
1547
    def spec.validate(*args); end
1548
    spec.specification_version = "malicious\n``"
1549

  
1550
    util_build_gem spec
1551

  
1552
    gem = File.join(@gemhome, 'cache', spec.file_name)
1553

  
1554
    use_ui @ui do
1555
      @installer = Gem::Installer.at gem
1556
      e = assert_raises Gem::InstallError do
1557
        @installer.pre_install_checks
1558
      end
1559
      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid specification_version", e.message
1560
    end
1561
  end
1562

  
1563
  def test_pre_install_checks_malicious_dependencies_before_eval
1564
    spec = util_spec "malicious", '1'
1565
    def spec.full_name # so the spec is buildable
1566
      "malicious-1"
1567
    end
1568
    def spec.validate(*args); end
1569
    spec.add_dependency "b\nfoo", '> 5'
1570

  
1571
    util_build_gem spec
1572

  
1573
    gem = File.join(@gemhome, 'cache', spec.file_name)
1574

  
1575
    use_ui @ui do
1576
      @installer = Gem::Installer.at gem
1577
      @installer.ignore_dependencies = true
1578
      e = assert_raises Gem::InstallError do
1579
        @installer.pre_install_checks
1580
      end
1581
      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid dependencies", e.message
1582
    end
1583
  end
1584

  
1477 1585
  def test_shebang
1478 1586
    util_make_exec @spec, "#!/usr/bin/ruby"
1479 1587

  
test/rubygems/test_gem_package.rb
480 480
                 "#{destination_subdir} is not allowed", e.message)
481 481
  end
482 482

  
483
  def test_extract_symlink_parent_doesnt_delete_user_dir
484
    skip if RUBY_VERSION <= "1.8.7"
485

  
486
    package = Gem::Package.new @gem
487

  
488
    # Extract into a subdirectory of @destination; if this test fails it writes
489
    # a file outside destination_subdir, but we want the file to remain inside
490
    # @destination so it will be cleaned up.
491
    destination_subdir = File.join @destination, 'subdir'
492
    FileUtils.mkdir_p destination_subdir
493

  
494
    destination_user_dir = File.join @destination, 'user'
495
    destination_user_subdir = File.join destination_user_dir, 'dir'
496
    FileUtils.mkdir_p destination_user_subdir
497

  
498
    tgz_io = util_tar_gz do |tar|
499
      tar.add_symlink 'link', destination_user_dir, 16877
500
      tar.add_symlink 'link/dir', '.', 16877
501
    end
502

  
503
    e = assert_raises(Gem::Package::PathError, Errno::EACCES) do
504
      package.extract_tar_gz tgz_io, destination_subdir
505
    end
506

  
507
    assert_path_exists destination_user_subdir
508

  
509
    if Gem::Package::PathError === e
510
      assert_equal("installing into parent path #{destination_user_subdir} of " +
511
                  "#{destination_subdir} is not allowed", e.message)
512
    elsif win_platform?
513
      skip "symlink - must be admin with no UAC on Windows"
514
    else
515
      raise e
516
    end
517
  end
518

  
483 519
  def test_extract_tar_gz_directory
484 520
    package = Gem::Package.new @gem
485 521

  
test/rubygems/test_gem_text.rb
85 85
    s = "ab" * 500_001
86 86
    assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
87 87
  end
88

  
89
  def test_clean_text
90
    assert_equal ".]2;nyan.", clean_text("\e]2;nyan\a")
91
  end
92

  
88 93
end