From f06f90323133e2f1440cd5090a622b56994c4e65 Mon Sep 17 00:00:00 2001 From: drbrain Date: Tue, 10 Sep 2013 00:52:14 +0000 Subject: * lib/rubygems: Update to RubyGems 2.1.0. Fixes CVE-2013-4287. See http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html for CVE information. See http://rubygems.rubyforge.org/rubygems-update/History_txt.html#label-2.1.0+%2F+2013-09-09 for release notes. * test/rubygems: Tests for the above. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42898 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- lib/rubygems/dependency_resolver.rb | 8 ++++++-- lib/rubygems/dependency_resolver/api_specification.rb | 3 +++ lib/rubygems/dependency_resolver/index_set.rb | 11 ++++++++--- lib/rubygems/dependency_resolver/index_specification.rb | 11 +++++++++-- .../dependency_resolver/installed_specification.rb | 4 ++++ lib/rubygems/dependency_resolver/installer_set.rb | 11 ++++++++--- lib/rubygems/gemcutter_utilities.rb | 3 ++- lib/rubygems/request_set.rb | 3 +++ lib/rubygems/spec_fetcher.rb | 5 ++++- lib/rubygems/specification.rb | 3 +-- lib/rubygems/test_case.rb | 15 ++++++++++++++- lib/rubygems/version.rb | 2 +- 12 files changed, 63 insertions(+), 16 deletions(-) (limited to 'lib/rubygems') diff --git a/lib/rubygems/dependency_resolver.rb b/lib/rubygems/dependency_resolver.rb index e5c05972d8..721fd43c51 100644 --- a/lib/rubygems/dependency_resolver.rb +++ b/lib/rubygems/dependency_resolver.rb @@ -79,7 +79,9 @@ class Gem::DependencyResolver needed = nil @needed.reverse_each do |n| - needed = Gem::List.new(Gem::DependencyResolver::DependencyRequest.new(n, nil), needed) + request = Gem::DependencyResolver::DependencyRequest.new n, nil + + needed = Gem::List.new request, needed end res = resolve_for needed, nil @@ -162,7 +164,9 @@ class Gem::DependencyResolver # Sort them so that we try the highest versions # first. - possible = possible.sort_by { |s| [s.source, s.version] } + possible = possible.sort_by do |s| + [s.source, s.version, s.platform == Gem::Platform::RUBY ? -1 : 1] + end # We track the conflicts seen so that we can report them # to help the user figure out how to fix the situation. diff --git a/lib/rubygems/dependency_resolver/api_specification.rb b/lib/rubygems/dependency_resolver/api_specification.rb index 5ad07396cf..ae688780dd 100644 --- a/lib/rubygems/dependency_resolver/api_specification.rb +++ b/lib/rubygems/dependency_resolver/api_specification.rb @@ -8,6 +8,7 @@ class Gem::DependencyResolver::APISpecification attr_reader :dependencies attr_reader :name + attr_reader :platform attr_reader :set # :nodoc: attr_reader :version @@ -15,6 +16,7 @@ class Gem::DependencyResolver::APISpecification @set = set @name = api_data[:name] @version = Gem::Version.new api_data[:number] + @platform = api_data[:platform] @dependencies = api_data[:dependencies].map do |name, ver| Gem::Dependency.new name, ver.split(/\s*,\s*/) end @@ -25,6 +27,7 @@ class Gem::DependencyResolver::APISpecification @set == other.set and @name == other.name and @version == other.version and + @platform == other.platform and @dependencies == other.dependencies end diff --git a/lib/rubygems/dependency_resolver/index_set.rb b/lib/rubygems/dependency_resolver/index_set.rb index fcf919d81b..d6a05e580f 100644 --- a/lib/rubygems/dependency_resolver/index_set.rb +++ b/lib/rubygems/dependency_resolver/index_set.rb @@ -43,9 +43,14 @@ class Gem::DependencyResolver::IndexSet # Called from IndexSpecification to get a true Specification # object. - def load_spec name, ver, source - key = "#{name}-#{ver}" - @specs[key] ||= source.fetch_spec(Gem::NameTuple.new(name, ver)) + def load_spec name, ver, platform, source + key = "#{name}-#{ver}-#{platform}" + + @specs.fetch key do + tuple = Gem::NameTuple.new name, ver, platform + + @specs[key] = source.fetch_spec tuple + end end ## diff --git a/lib/rubygems/dependency_resolver/index_specification.rb b/lib/rubygems/dependency_resolver/index_specification.rb index 371018ba44..d8ac69d402 100644 --- a/lib/rubygems/dependency_resolver/index_specification.rb +++ b/lib/rubygems/dependency_resolver/index_specification.rb @@ -8,6 +8,8 @@ class Gem::DependencyResolver::IndexSpecification attr_reader :name + attr_reader :platform + attr_reader :source attr_reader :version @@ -39,14 +41,19 @@ class Gem::DependencyResolver::IndexSpecification q.breakable q.text full_name + unless Gem::Platform::RUBY == @platform then + q.breakable + q.text @platform + end + q.breakable - q.text ' source ' + q.text 'source ' q.pp @source end end def spec - @spec ||= @set.load_spec(@name, @version, @source) + @spec ||= @set.load_spec(@name, @version, @platform, @source) end end diff --git a/lib/rubygems/dependency_resolver/installed_specification.rb b/lib/rubygems/dependency_resolver/installed_specification.rb index af167572bf..ca20ace61e 100644 --- a/lib/rubygems/dependency_resolver/installed_specification.rb +++ b/lib/rubygems/dependency_resolver/installed_specification.rb @@ -26,6 +26,10 @@ class Gem::DependencyResolver::InstalledSpecification @spec.name end + def platform + @spec.platform + end + def source @source ||= Gem::Source::Installed.new end diff --git a/lib/rubygems/dependency_resolver/installer_set.rb b/lib/rubygems/dependency_resolver/installer_set.rb index 7de052df77..c39f77a005 100644 --- a/lib/rubygems/dependency_resolver/installer_set.rb +++ b/lib/rubygems/dependency_resolver/installer_set.rb @@ -115,9 +115,14 @@ class Gem::DependencyResolver::InstallerSet # Called from IndexSpecification to get a true Specification # object. - def load_spec name, ver, source - key = "#{name}-#{ver}" - @specs[key] ||= source.fetch_spec Gem::NameTuple.new name, ver + def load_spec name, ver, platform, source + key = "#{name}-#{ver}-#{platform}" + + @specs.fetch key do + tuple = Gem::NameTuple.new name, ver, platform + + @specs[key] = source.fetch_spec tuple + end end ## diff --git a/lib/rubygems/gemcutter_utilities.rb b/lib/rubygems/gemcutter_utilities.rb index 6446cc9799..9dbc18ba98 100644 --- a/lib/rubygems/gemcutter_utilities.rb +++ b/lib/rubygems/gemcutter_utilities.rb @@ -77,7 +77,8 @@ module Gem::GemcutterUtilities # Signs in with the RubyGems API at +sign_in_host+ and sets the rubygems API # key. - def sign_in sign_in_host = self.host + def sign_in sign_in_host = nil + sign_in_host ||= self.host return if Gem.configuration.rubygems_api_key pretty_host = if Gem::DEFAULT_HOST == sign_in_host then diff --git a/lib/rubygems/request_set.rb b/lib/rubygems/request_set.rb index 748c320c28..a45c64e0b4 100644 --- a/lib/rubygems/request_set.rb +++ b/lib/rubygems/request_set.rb @@ -28,7 +28,10 @@ class Gem::RequestSet @always_install = [] @development = false + @requests = [] @soft_missing = false + @sorted = nil + @specs = nil yield self if block_given? end diff --git a/lib/rubygems/spec_fetcher.rb b/lib/rubygems/spec_fetcher.rb index 53ff8d1f45..2ed7d4286a 100644 --- a/lib/rubygems/spec_fetcher.rb +++ b/lib/rubygems/spec_fetcher.rb @@ -200,8 +200,11 @@ class Gem::SpecFetcher when :released tuples_for source, :released when :complete - tuples_for(source, :prerelease, true) + + names = + tuples_for(source, :prerelease, true) + tuples_for(source, :released) + + names.sort when :prerelease tuples_for(source, :prerelease) else diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb index 49cf25d772..12943a3e24 100644 --- a/lib/rubygems/specification.rb +++ b/lib/rubygems/specification.rb @@ -34,7 +34,7 @@ class Date; end # s.homepage = 'https://rubygems.org/gems/example' # end # -# Starting in RubyGems 1.9.0, a Specification can hold arbitrary +# Starting in RubyGems 2.0, a Specification can hold arbitrary # metadata. This metadata is accessed via Specification#metadata # and has the following restrictions: # @@ -2097,7 +2097,6 @@ class Gem::Specification < Gem::BasicSpecification # Returns an object you can use to sort specifications in #sort_by. def sort_obj - # TODO: this is horrible. Deprecate it. [@name, @version, @new_platform == Gem::Platform::RUBY ? -1 : 1] end diff --git a/lib/rubygems/test_case.rb b/lib/rubygems/test_case.rb index 5d59e35403..d6c1a36ad1 100644 --- a/lib/rubygems/test_case.rb +++ b/lib/rubygems/test_case.rb @@ -1097,7 +1097,11 @@ Also, a list: class StaticSet def initialize(specs) - @specs = specs.sort_by { |s| s.full_name } + @specs = specs + end + + def add spec + @specs << spec end def find_spec(dep) @@ -1110,6 +1114,15 @@ Also, a list: @specs.find_all { |s| dep.matches_spec? s } end + def load_spec name, ver, platform, source + dep = Gem::Dependency.new name, ver + spec = find_spec dep + + Gem::Specification.new spec.name, spec.version do |s| + s.platform = spec.platform + end + end + def prefetch(reqs) end end diff --git a/lib/rubygems/version.rb b/lib/rubygems/version.rb index fa9bbc5a9d..2e546462d4 100644 --- a/lib/rubygems/version.rb +++ b/lib/rubygems/version.rb @@ -147,7 +147,7 @@ class Gem::Version # FIX: These are only used once, in .correct?. Do they deserve to be # constants? - VERSION_PATTERN = '[0-9]+(\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc: + VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?' # :nodoc: ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc: ## -- cgit v1.2.3