# HG changeset patch # User April Chin # Date 1436312540 25200 # Node ID eba741d252dcf44ca35b1f1e9d07367187818eca # Parent 4474aa6687fa133724ba546e8d8c833be8db2437 21330713 problem in UTILITY/RUBY diff -r 4474aa6687fa -r eba741d252dc components/ruby/ruby-21/patches/08-CVE-2015-3900-4020.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/ruby/ruby-21/patches/08-CVE-2015-3900-4020.patch Tue Jul 07 16:42:20 2015 -0700 @@ -0,0 +1,86 @@ +Patches to RubyGems from upstream +to fix CVE-2015-3900: +https://github.com/rubygems/rubygems/commit/6bbee35fd6daed045103f3122490a588d97c066a +and CVE-2015-4020: +https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e + +--- ruby-2.1.6-orig/lib/rubygems/remote_fetcher.rb 2014-02-05 18:59:36.000000000 -0800 ++++ ruby-2.1.6/lib/rubygems/remote_fetcher.rb 2015-07-06 14:51:51.198154766 -0700 +@@ -90,7 +90,13 @@ class Gem::RemoteFetcher + rescue Resolv::ResolvError + uri + else +- URI.parse "#{uri.scheme}://#{res.target}#{uri.path}" ++ target = res.target.to_s.strip ++ ++ if /\.#{Regexp.quote(host)}\z/ =~ target ++ return URI.parse "#{uri.scheme}://#{target}#{uri.path}" ++ end ++ ++ uri + end + end + +--- ruby-2.1.6-orig/test/rubygems/test_gem_remote_fetcher.rb 2014-02-05 18:59:36.000000000 -0800 ++++ ruby-2.1.6/test/rubygems/test_gem_remote_fetcher.rb 2015-07-06 14:56:09.027603528 -0700 +@@ -163,6 +163,21 @@ gems: + end + + def test_api_endpoint ++ uri = URI.parse "http://example.com/foo" ++ target = MiniTest::Mock.new ++ target.expect :target, "gems.example.com" ++ ++ dns = MiniTest::Mock.new ++ dns.expect :getresource, target, [String, Object] ++ ++ fetch = Gem::RemoteFetcher.new nil, dns ++ assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) ++ ++ target.verify ++ dns.verify ++ end ++ ++ def test_api_endpoint_ignores_trans_domain_values + uri = URI.parse "http://gems.example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "blah.com" +@@ -171,7 +186,37 @@ gems: + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns +- assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri) ++ assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) ++ ++ target.verify ++ dns.verify ++ end ++ ++ def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original ++ uri = URI.parse "http://example.com/foo" ++ target = MiniTest::Mock.new ++ target.expect :target, "example.combadguy.com" ++ ++ dns = MiniTest::Mock.new ++ dns.expect :getresource, target, [String, Object] ++ ++ fetch = Gem::RemoteFetcher.new nil, dns ++ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) ++ ++ target.verify ++ dns.verify ++ end ++ ++ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original ++ uri = URI.parse "http://example.com/foo" ++ target = MiniTest::Mock.new ++ target.expect :target, "badexample.com" ++ ++ dns = MiniTest::Mock.new ++ dns.expect :getresource, target, [String, Object] ++ ++ fetch = Gem::RemoteFetcher.new nil, dns ++ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify