diff options
author | hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-10-10 08:58:22 +0000 |
---|---|---|
committer | hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-10-10 08:58:22 +0000 |
commit | 500f15e5079026f3da993b404f7474aa3c69cc0a (patch) | |
tree | 5d03277ea27cf1be4b4616482693be01fdf6f0e4 | |
parent | 6d86ee593a78221bfadd99fd9edf41eb5a985cc7 (diff) | |
download | ruby-500f15e5079026f3da993b404f7474aa3c69cc0a.tar.gz |
Merge rubygems-2.6.14 changes.
It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60149 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | lib/rubygems.rb | 5 | ||||
-rw-r--r-- | lib/rubygems/config_file.rb | 2 | ||||
-rw-r--r-- | lib/rubygems/package.rb | 2 | ||||
-rw-r--r-- | lib/rubygems/package/old.rb | 2 | ||||
-rw-r--r-- | lib/rubygems/safe_yaml.rb | 48 | ||||
-rw-r--r-- | lib/rubygems/specification.rb | 2 |
6 files changed, 55 insertions, 6 deletions
diff --git a/lib/rubygems.rb b/lib/rubygems.rb index d819bdee02..c8f43e3805 100644 --- a/lib/rubygems.rb +++ b/lib/rubygems.rb @@ -10,7 +10,7 @@ require 'rbconfig' require 'thread' module Gem - VERSION = "2.6.13" + VERSION = "2.6.14" end # Must be first since it unloads the prelude from 1.9.2 @@ -690,7 +690,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]} unless test_syck begin - gem 'psych', '>= 1.2.1' + gem 'psych', '>= 2.0.0' rescue Gem::LoadError # It's OK if the user does not have the psych gem installed. We will # attempt to require the stdlib version @@ -714,6 +714,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]} end require 'yaml' + require 'rubygems/safe_yaml' # If we're supposed to be using syck, then we may have to force # activate it via the YAML::ENGINE API. diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb index b98d30cc69..a4efed0f5a 100644 --- a/lib/rubygems/config_file.rb +++ b/lib/rubygems/config_file.rb @@ -354,7 +354,7 @@ if you believe they were disclosed to a third party. return {} unless filename and File.exist? filename begin - content = YAML.load(File.read(filename)) + content = Gem::SafeYAML.load(File.read(filename)) unless content.kind_of? Hash warn "Failed to load #{filename} because it doesn't contain valid YAML hash" return {} diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb index c36e71d800..77811ed5ec 100644 --- a/lib/rubygems/package.rb +++ b/lib/rubygems/package.rb @@ -468,7 +468,7 @@ EOM @checksums = gem.seek 'checksums.yaml.gz' do |entry| Zlib::GzipReader.wrap entry do |gz_io| - YAML.load gz_io.read + Gem::SafeYAML.safe_load gz_io.read end end end diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb index 88193b986d..f6e6e67c38 100644 --- a/lib/rubygems/package/old.rb +++ b/lib/rubygems/package/old.rb @@ -101,7 +101,7 @@ class Gem::Package::Old < Gem::Package header << line end - YAML.load header + Gem::SafeYAML.safe_load header end ## diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb new file mode 100644 index 0000000000..b98cfaa5e6 --- /dev/null +++ b/lib/rubygems/safe_yaml.rb @@ -0,0 +1,48 @@ +module Gem + + ### + # This module is used for safely loading YAML specs from a gem. The + # `safe_load` method defined on this module is specifically designed for + # loading Gem specifications. For loading other YAML safely, please see + # Psych.safe_load + + module SafeYAML + WHITELISTED_CLASSES = %w( + Symbol + Time + Date + Gem::Dependency + Gem::Platform + Gem::Requirement + Gem::Specification + Gem::Version + Gem::Version::Requirement + YAML::Syck::DefaultKey + Syck::DefaultKey + ) + + WHITELISTED_SYMBOLS = %w( + development + runtime + ) + + if ::YAML.respond_to? :safe_load + def self.safe_load input + ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) + end + + def self.load input + ::YAML.safe_load(input, [::Symbol]) + end + else + warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." + def self.safe_load input, *args + ::YAML.load input + end + + def self.load input + ::YAML.load input + end + end + end +end diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb index c811ecec0e..efc08c4738 100644 --- a/lib/rubygems/specification.rb +++ b/lib/rubygems/specification.rb @@ -1128,7 +1128,7 @@ class Gem::Specification < Gem::BasicSpecification Gem.load_yaml input = normalize_yaml_input input - spec = YAML.load input + spec = Gem::SafeYAML.safe_load input if spec && spec.class == FalseClass then raise Gem::EndOfYAMLException |