From a75922010fe38f48c08c744456dd92cb755e1119 Mon Sep 17 00:00:00 2001 From: drbrain Date: Thu, 7 Feb 2013 22:48:35 +0000 Subject: * lib/rubygems/package/old.rb: Disallow installation of old-format gems when a security policy is active. * test/rubygems/test_gem_package_old.rb: Test for above. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@39142 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 6 +++++ lib/rubygems/package/old.rb | 20 +++++++++++++++++ test/rubygems/test_gem_package_old.rb | 42 +++++++++++++++++++++++++++++++++++ 3 files changed, 68 insertions(+) diff --git a/ChangeLog b/ChangeLog index 62238fd6a7..4d869bc735 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Fri Feb 8 07:47:56 2013 Eric Hodel + + * lib/rubygems/package/old.rb: Disallow installation of old-format + gems when a security policy is active. + * test/rubygems/test_gem_package_old.rb: Test for above. + Fri Feb 8 07:34:00 2013 Zachary Scott * lib/net/http.rb (HTTP.post_form): Fix module scope in documentation diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb index 552a5f3591..6bf9ea0fe3 100644 --- a/lib/rubygems/package/old.rb +++ b/lib/rubygems/package/old.rb @@ -32,6 +32,8 @@ class Gem::Package::Old < Gem::Package # A list of file names contained in this gem def contents + verify + return @contents if @contents open @gem, 'rb' do |io| @@ -46,6 +48,8 @@ class Gem::Package::Old < Gem::Package # Extracts the files in this package into +destination_dir+ def extract_files destination_dir + verify + errstr = "Error reading files from gem" open @gem, 'rb' do |io| @@ -125,6 +129,8 @@ class Gem::Package::Old < Gem::Package # The specification for this gem def spec + verify + return @spec if @spec yaml = '' @@ -143,5 +149,19 @@ class Gem::Package::Old < Gem::Package raise Gem::Exception, "Failed to parse gem specification out of gem file" end + ## + # Raises an exception if a security policy that verifies data is active. + # Old format gems cannot be verified as signed. + + def verify + return true unless @security_policy + + raise Gem::Security::Exception, + 'old format gems do not contain signatures and cannot be verified' if + @security_policy.verify_data + + true + end + end diff --git a/test/rubygems/test_gem_package_old.rb b/test/rubygems/test_gem_package_old.rb index 20d9837a83..e0884348e5 100644 --- a/test/rubygems/test_gem_package_old.rb +++ b/test/rubygems/test_gem_package_old.rb @@ -18,6 +18,14 @@ class TestGemPackageOld < Gem::TestCase assert_equal %w[lib/foo.rb lib/test.rb lib/test/wow.rb], @package.contents end + def test_contents_security_policy + @package.security_policy = Gem::Security::AlmostNoSecurity + + assert_raises Gem::Security::Exception do + @package.contents + end + end + def test_extract_files @package.extract_files @destination @@ -29,9 +37,43 @@ class TestGemPackageOld < Gem::TestCase assert_equal mask, File.stat(extracted).mode unless win_platform? end + def test_extract_files_security_policy + @package.security_policy = Gem::Security::AlmostNoSecurity + + assert_raises Gem::Security::Exception do + @package.extract_files @destination + end + end + def test_spec assert_equal 'testing', @package.spec.name end + def test_spec_security_policy + @package.security_policy = Gem::Security::AlmostNoSecurity + + assert_raises Gem::Security::Exception do + @package.spec + end + end + + def test_verify + assert @package.verify + + @package.security_policy = Gem::Security::NoSecurity + + assert @package.verify + + @package.security_policy = Gem::Security::AlmostNoSecurity + + e = assert_raises Gem::Security::Exception do + @package.verify + end + + assert_equal 'old format gems do not contain signatures ' + + 'and cannot be verified', + e.message + end + end -- cgit v1.2.3