upstream/oracle/userland-gate: components/ruby/ruby-21/patches/08-CVE-2015-3900-4020.patch@2101fdb9d9aa


Patches to RubyGems from upstream
to fix CVE-2015-3900:
https://github.com/rubygems/rubygems/commit/6bbee35fd6daed045103f3122490a588d97c066a
and CVE-2015-4020:
https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e

--- ruby-2.1.6-orig/lib/rubygems/remote_fetcher.rb	2014-02-05 18:59:36.000000000 -0800
+++ ruby-2.1.6/lib/rubygems/remote_fetcher.rb	2015-07-06 14:51:51.198154766 -0700
@@ -90,7 +90,13 @@ class Gem::RemoteFetcher
     rescue Resolv::ResolvError
       uri
     else
-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
+      target = res.target.to_s.strip
+
+      if /\.#{Regexp.quote(host)}\z/ =~ target
+        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+      end
+
+      uri
     end
   end
 
--- ruby-2.1.6-orig/test/rubygems/test_gem_remote_fetcher.rb	2014-02-05 18:59:36.000000000 -0800
+++ ruby-2.1.6/test/rubygems/test_gem_remote_fetcher.rb	2015-07-06 14:56:09.027603528 -0700
@@ -163,6 +163,21 @@ gems:
   end
 
   def test_api_endpoint
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "gems.example.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values 
     uri = URI.parse "http://gems.example.com/foo"
     target = MiniTest::Mock.new
     target.expect :target, "blah.com"
@@ -171,7 +186,37 @@ gems:
     dns.expect :getresource, target, [String, Object]
 
     fetch = Gem::RemoteFetcher.new nil, dns
-    assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) 
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "example.combadguy.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "badexample.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
 
     target.verify
     dns.verify
author	April Chin <april.chin@oracle.com>
	Fri, 10 Jul 2015 10:09:35 -0700
branch	s11-update
changeset 4627	2101fdb9d9aa
permissions	-rw-r--r--