|
1 Patches to RubyGems from upstream |
|
2 to fix CVE-2015-3900: |
|
3 https://github.com/rubygems/rubygems/commit/6bbee35fd6daed045103f3122490a588d97c066a |
|
4 and CVE-2015-4020: |
|
5 https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e |
|
6 |
|
7 --- ruby-2.1.6-orig/lib/rubygems/remote_fetcher.rb 2014-02-05 18:59:36.000000000 -0800 |
|
8 +++ ruby-2.1.6/lib/rubygems/remote_fetcher.rb 2015-07-06 14:51:51.198154766 -0700 |
|
9 @@ -90,7 +90,13 @@ class Gem::RemoteFetcher |
|
10 rescue Resolv::ResolvError |
|
11 uri |
|
12 else |
|
13 - URI.parse "#{uri.scheme}://#{res.target}#{uri.path}" |
|
14 + target = res.target.to_s.strip |
|
15 + |
|
16 + if /\.#{Regexp.quote(host)}\z/ =~ target |
|
17 + return URI.parse "#{uri.scheme}://#{target}#{uri.path}" |
|
18 + end |
|
19 + |
|
20 + uri |
|
21 end |
|
22 end |
|
23 |
|
24 --- ruby-2.1.6-orig/test/rubygems/test_gem_remote_fetcher.rb 2014-02-05 18:59:36.000000000 -0800 |
|
25 +++ ruby-2.1.6/test/rubygems/test_gem_remote_fetcher.rb 2015-07-06 14:56:09.027603528 -0700 |
|
26 @@ -163,6 +163,21 @@ gems: |
|
27 end |
|
28 |
|
29 def test_api_endpoint |
|
30 + uri = URI.parse "http://example.com/foo" |
|
31 + target = MiniTest::Mock.new |
|
32 + target.expect :target, "gems.example.com" |
|
33 + |
|
34 + dns = MiniTest::Mock.new |
|
35 + dns.expect :getresource, target, [String, Object] |
|
36 + |
|
37 + fetch = Gem::RemoteFetcher.new nil, dns |
|
38 + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) |
|
39 + |
|
40 + target.verify |
|
41 + dns.verify |
|
42 + end |
|
43 + |
|
44 + def test_api_endpoint_ignores_trans_domain_values |
|
45 uri = URI.parse "http://gems.example.com/foo" |
|
46 target = MiniTest::Mock.new |
|
47 target.expect :target, "blah.com" |
|
48 @@ -171,7 +186,37 @@ gems: |
|
49 dns.expect :getresource, target, [String, Object] |
|
50 |
|
51 fetch = Gem::RemoteFetcher.new nil, dns |
|
52 - assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri) |
|
53 + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) |
|
54 + |
|
55 + target.verify |
|
56 + dns.verify |
|
57 + end |
|
58 + |
|
59 + def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original |
|
60 + uri = URI.parse "http://example.com/foo" |
|
61 + target = MiniTest::Mock.new |
|
62 + target.expect :target, "example.combadguy.com" |
|
63 + |
|
64 + dns = MiniTest::Mock.new |
|
65 + dns.expect :getresource, target, [String, Object] |
|
66 + |
|
67 + fetch = Gem::RemoteFetcher.new nil, dns |
|
68 + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) |
|
69 + |
|
70 + target.verify |
|
71 + dns.verify |
|
72 + end |
|
73 + |
|
74 + def test_api_endpoint_ignores_trans_domain_values_that_end_with_original |
|
75 + uri = URI.parse "http://example.com/foo" |
|
76 + target = MiniTest::Mock.new |
|
77 + target.expect :target, "badexample.com" |
|
78 + |
|
79 + dns = MiniTest::Mock.new |
|
80 + dns.expect :getresource, target, [String, Object] |
|
81 + |
|
82 + fetch = Gem::RemoteFetcher.new nil, dns |
|
83 + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) |
|
84 |
|
85 target.verify |
|
86 dns.verify |