1 Patches to RubyGems from upstream

     2 to fix CVE-2015-3900:

     3 https://github.com/rubygems/rubygems/commit/6bbee35fd6daed045103f3122490a588d97c066a

     4 and CVE-2015-4020:

     5 https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e

     6 

     7 --- ruby-2.1.6-orig/lib/rubygems/remote_fetcher.rb	2014-02-05 18:59:36.000000000 -0800

     8 +++ ruby-2.1.6/lib/rubygems/remote_fetcher.rb	2015-07-06 14:51:51.198154766 -0700

     9 @@ -90,7 +90,13 @@ class Gem::RemoteFetcher

    10      rescue Resolv::ResolvError

    11        uri

    12      else

    13 -      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"

    14 +      target = res.target.to_s.strip

    15 +

    16 +      if /\.#{Regexp.quote(host)}\z/ =~ target

    17 +        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"

    18 +      end

    19 +

    20 +      uri

    21      end

    22    end

    23  

    24 --- ruby-2.1.6-orig/test/rubygems/test_gem_remote_fetcher.rb	2014-02-05 18:59:36.000000000 -0800

    25 +++ ruby-2.1.6/test/rubygems/test_gem_remote_fetcher.rb	2015-07-06 14:56:09.027603528 -0700

    26 @@ -163,6 +163,21 @@ gems:

    27    end

    28  

    29    def test_api_endpoint

    30 +    uri = URI.parse "http://example.com/foo"

    31 +    target = MiniTest::Mock.new

    32 +    target.expect :target, "gems.example.com"

    33 +

    34 +    dns = MiniTest::Mock.new

    35 +    dns.expect :getresource, target, [String, Object]

    36 +

    37 +    fetch = Gem::RemoteFetcher.new nil, dns

    38 +    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)

    39 +

    40 +    target.verify

    41 +    dns.verify

    42 +  end

    43 +

    44 +  def test_api_endpoint_ignores_trans_domain_values 

    45      uri = URI.parse "http://gems.example.com/foo"

    46      target = MiniTest::Mock.new

    47      target.expect :target, "blah.com"

    48 @@ -171,7 +186,37 @@ gems:

    49      dns.expect :getresource, target, [String, Object]

    50  

    51      fetch = Gem::RemoteFetcher.new nil, dns

    52 -    assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)

    53 +    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) 

    54 +

    55 +    target.verify

    56 +    dns.verify

    57 +  end

    58 +

    59 +  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original

    60 +    uri = URI.parse "http://example.com/foo"

    61 +    target = MiniTest::Mock.new

    62 +    target.expect :target, "example.combadguy.com"

    63 +

    64 +    dns = MiniTest::Mock.new

    65 +    dns.expect :getresource, target, [String, Object]

    66 +

    67 +    fetch = Gem::RemoteFetcher.new nil, dns

    68 +    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)

    69 +

    70 +    target.verify

    71 +    dns.verify

    72 +  end

    73 +

    74 +  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original

    75 +    uri = URI.parse "http://example.com/foo"

    76 +    target = MiniTest::Mock.new

    77 +    target.expect :target, "badexample.com"

    78 +

    79 +    dns = MiniTest::Mock.new

    80 +    dns.expect :getresource, target, [String, Object]

    81 +

    82 +    fetch = Gem::RemoteFetcher.new nil, dns

    83 +    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)

    84  

    85      target.verify

    86      dns.verify