upstream/oracle/userland-gate: changeset 4627:2101fdb9d9aa

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/ruby-21/patches/08-CVE-2015-3900-4020.patch	Fri Jul 10 10:09:35 2015 -0700
@@ -0,0 +1,86 @@
+Patches to RubyGems from upstream
+to fix CVE-2015-3900:
+https://github.com/rubygems/rubygems/commit/6bbee35fd6daed045103f3122490a588d97c066a
+and CVE-2015-4020:
+https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e
+
+--- ruby-2.1.6-orig/lib/rubygems/remote_fetcher.rb	2014-02-05 18:59:36.000000000 -0800
++++ ruby-2.1.6/lib/rubygems/remote_fetcher.rb	2015-07-06 14:51:51.198154766 -0700
+@@ -90,7 +90,13 @@ class Gem::RemoteFetcher
+     rescue Resolv::ResolvError
+       uri
+     else
+-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
++      target = res.target.to_s.strip
++
++      if /\.#{Regexp.quote(host)}\z/ =~ target
++        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
++      end
++
++      uri
+     end
+   end
+ 
+--- ruby-2.1.6-orig/test/rubygems/test_gem_remote_fetcher.rb	2014-02-05 18:59:36.000000000 -0800
++++ ruby-2.1.6/test/rubygems/test_gem_remote_fetcher.rb	2015-07-06 14:56:09.027603528 -0700
+@@ -163,6 +163,21 @@ gems:
+   end
+ 
+   def test_api_endpoint
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "gems.example.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
++
++    target.verify
++    dns.verify
++  end
++
++  def test_api_endpoint_ignores_trans_domain_values 
+     uri = URI.parse "http://gems.example.com/foo"
+     target = MiniTest::Mock.new
+     target.expect :target, "blah.com"
+@@ -171,7 +186,37 @@ gems:
+     dns.expect :getresource, target, [String, Object]
+ 
+     fetch = Gem::RemoteFetcher.new nil, dns
+-    assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
++    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) 
++
++    target.verify
++    dns.verify
++  end
++
++  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "example.combadguy.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
++
++    target.verify
++    dns.verify
++  end
++
++  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "badexample.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+ 
+     target.verify
+     dns.verify
author	April Chin <april.chin@oracle.com>
	Fri, 10 Jul 2015 10:09:35 -0700
branch	s11-update
changeset 4627	2101fdb9d9aa
parent 4626	d5dbb6652eec
child 4628	21e8147a2b1e