From 215999281fa297cd8dce649b2701e62430229b3d Mon Sep 17 00:00:00 2001
From: hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Thu, 11 Jun 2015 05:34:52 +0000
Subject: * lib/rubygems.rb: bump version to 2.4.7 and 2.4.8. these versions
 fixed   CVE-2015-3900. * lib/rubygems/remote_fetcher.rb: ditto. *
 test/rubygems/test_gem_remote_fetcher.rb: added testcase for CVE-2015-3900

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50829 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/rubygems/remote_fetcher.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'lib/rubygems')

diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb
index da1febbe86..3f107a3981 100644
--- a/lib/rubygems/remote_fetcher.rb
+++ b/lib/rubygems/remote_fetcher.rb
@@ -94,7 +94,13 @@ class Gem::RemoteFetcher
     rescue Resolv::ResolvError
       uri
     else
-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
+      target = res.target.to_s.strip
+
+      if /\.#{Regexp.quote(host)}\z/ =~ target
+        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+      end
+
+      uri
     end
   end
 
-- 
cgit v1.2.3