diff options
| author | hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-03-05 03:32:58 +0000 |
|---|---|---|
| committer | hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-03-05 03:32:58 +0000 |
| commit | 08f8cfe14e0f8937e3bcf8a22becdc5ce60b920e (patch) | |
| tree | 30977064b5f93f9ac5b01b2a676f6d6ffdcec652 /lib/rubygems/installer.rb | |
| parent | 593505ac6f802d2b5bff469425b7c76b65cc9b10 (diff) | |
| download | ruby-08f8cfe14e0f8937e3bcf8a22becdc5ce60b920e.tar.gz | |
Merge RubyGems upstream: 56c0bbb69e4506bda7ef7f447dfec5db820df20b
It fixed the multiple vulnerabilities.
https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib/rubygems/installer.rb')
| -rw-r--r-- | lib/rubygems/installer.rb | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb index b64ba17be6..1415a14f22 100644 --- a/lib/rubygems/installer.rb +++ b/lib/rubygems/installer.rb @@ -729,9 +729,26 @@ class Gem::Installer unpack or File.writable?(gem_home) end - def verify_spec_name - return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN - raise Gem::InstallError, "#{spec} has an invalid name" + def verify_spec + unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN + raise Gem::InstallError, "#{spec} has an invalid name" + end + + if spec.raw_require_paths.any?{|path| path =~ /\R/ } + raise Gem::InstallError, "#{spec} has an invalid require_paths" + end + + if spec.extensions.any?{|ext| ext =~ /\R/ } + raise Gem::InstallError, "#{spec} has an invalid extensions" + end + + unless spec.specification_version.to_s =~ /\A\d+\z/ + raise Gem::InstallError, "#{spec} has an invalid specification_version" + end + + if spec.dependencies.any? {|dep| dep.type =~ /\R/ || dep.name =~ /\R/ } + raise Gem::InstallError, "#{spec} has an invalid dependencies" + end end ## @@ -844,7 +861,7 @@ TEXT # without the full gem installed. def extract_bin - @package.extract_files gem_dir, "bin/*" + @package.extract_files gem_dir, "#{spec.bindir}/*" end ## @@ -880,9 +897,11 @@ TEXT def pre_install_checks verify_gem_home options[:unpack] - ensure_loadable_spec + # The name and require_paths must be verified first, since it could contain + # ruby code that would be eval'ed in #ensure_loadable_spec + verify_spec - verify_spec_name + ensure_loadable_spec if options[:install_as_default] Gem.ensure_default_gem_subdirectories gem_home |