21330713 problem in UTILITY/RUBY
authorApril Chin <april.chin@oracle.com>
Tue, 07 Jul 2015 16:42:20 -0700
changeset 4604 eba741d252dc
parent 4602 4474aa6687fa
child 4605 62d61ce27a05
21330713 problem in UTILITY/RUBY
components/ruby/ruby-21/patches/08-CVE-2015-3900-4020.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/ruby-21/patches/08-CVE-2015-3900-4020.patch	Tue Jul 07 16:42:20 2015 -0700
@@ -0,0 +1,86 @@
+Patches to RubyGems from upstream
+to fix CVE-2015-3900:
+https://github.com/rubygems/rubygems/commit/6bbee35fd6daed045103f3122490a588d97c066a
+and CVE-2015-4020:
+https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e
+
+--- ruby-2.1.6-orig/lib/rubygems/remote_fetcher.rb	2014-02-05 18:59:36.000000000 -0800
++++ ruby-2.1.6/lib/rubygems/remote_fetcher.rb	2015-07-06 14:51:51.198154766 -0700
[email protected]@ -90,7 +90,13 @@ class Gem::RemoteFetcher
+     rescue Resolv::ResolvError
+       uri
+     else
+-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
++      target = res.target.to_s.strip
++
++      if /\.#{Regexp.quote(host)}\z/ =~ target
++        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
++      end
++
++      uri
+     end
+   end
+ 
+--- ruby-2.1.6-orig/test/rubygems/test_gem_remote_fetcher.rb	2014-02-05 18:59:36.000000000 -0800
++++ ruby-2.1.6/test/rubygems/test_gem_remote_fetcher.rb	2015-07-06 14:56:09.027603528 -0700
[email protected]@ -163,6 +163,21 @@ gems:
+   end
+ 
+   def test_api_endpoint
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "gems.example.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
++
++    target.verify
++    dns.verify
++  end
++
++  def test_api_endpoint_ignores_trans_domain_values 
+     uri = URI.parse "http://gems.example.com/foo"
+     target = MiniTest::Mock.new
+     target.expect :target, "blah.com"
[email protected]@ -171,7 +186,37 @@ gems:
+     dns.expect :getresource, target, [String, Object]
+ 
+     fetch = Gem::RemoteFetcher.new nil, dns
+-    assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
++    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) 
++
++    target.verify
++    dns.verify
++  end
++
++  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "example.combadguy.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
++
++    target.verify
++    dns.verify
++  end
++
++  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
++    uri = URI.parse "http://example.com/foo"
++    target = MiniTest::Mock.new
++    target.expect :target, "badexample.com"
++
++    dns = MiniTest::Mock.new
++    dns.expect :getresource, target, [String, Object]
++
++    fetch = Gem::RemoteFetcher.new nil, dns
++    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+ 
+     target.verify
+     dns.verify