rubygems-update 2.0.11 → 2.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 76355f13c1324461cdf6872c156a64ac8506a2d4
-  data.tar.gz: fef91eda501221dc92d50066343609747ec4a319
+  metadata.gz: 482de6c994fb43534deab69c45cbd1bd65e9d649
+  data.tar.gz: e0f8614cda95521bdf92b38da1fbc22937f1ac37
 SHA512:
-  metadata.gz: cc05fb1c3447f5ec895c7d768dd7fa9bf2e93db24cd77a9d683982a938f7a0586246736a163c76522acb4bcb74a92babf7beb32e5c5a10e3ee7506616f04c643
-  data.tar.gz: fccc1829bf3b202fd225cc8a5d0e263584f0e36458177c659a5d12df82d9b891b1248c02b57a565d0baacaf9b0d5f99abfbbedc536896edc0497c6f6eeae1fd6
+  metadata.gz: a5efa41db38165c7ef31fcae76fb5a1d9f59a411811bbfb898524a862d9cd5258d3815fa867d65160cebe4c32d52d7369b3cb8bfb234116cda83a617f2dcbb92
+  data.tar.gz: 7e1f7e6a3b36f0410ec961e0352828e783f4e3ded2b16a451306e7224dfad4ff3cf5a84207b8ccc0f0824c550367cd96591697aabe9bafa29a1faf136eb02f23

data/History.txt

@@ -1,5 +1,12 @@
 # coding: UTF-8
 
+=== 2.0.12 / 2013-10-14
+
+Bug fixes:
+
+* Proxy usernames and passwords are now escaped properly.  Ruby Bug #8979 and
+  patch by Masahiro Tomita, Issue #668 by Kouhei Sutou.
+
 === 2.0.11 / 2013-10-08
 
 Bug fixes:
@@ -512,6 +519,40 @@ $SAFE=1.  There is no functional difference compared to Ruby 2.0.0.preview2
   * URI scheme matching is no longer case-sensitive.  Fixes #322
   * ext/builder now checks $MAKE as well as $make (okkez)
 
+=== 1.8.28 / 2013-10-08
+
+Bug fixes:
+
+* Added the Verisign Class 3 Public Primary Certification Authority G5
+  certificate and its intermediary to follow the s3.amazonaws.com certificate
+  change.  Fixes #665 by emeyekayee.  Fixes #671 by jonforums.
+* Remove redundant built-in certificates not needed for https://rubygems.org
+  Fixes #654 by Vít Ondruch.
+* Added test for missing certificates for https://s3.amazonaws.com or
+  https://rubygems.org.  Pull request #673 by Hannes Georg.
+
+=== 1.8.27 / 2013-09-24
+
+Security fixes:
+
+* RubyGems 2.1.4 and earlier are vulnerable to excessive CPU usage due to a
+  backtracking in Gem::Version validation.  See CVE-2013-4363 for full details
+  including vulnerable APIs.  Fixed versions include 2.1.5, 2.0.10, 1.8.27 and
+  1.8.23.2 (for Ruby 1.9.3).
+
+=== 1.8.26 / 2013-09-09
+
+Security fixes:
+
+* RubyGems 2.0.7 and earlier are vulnerable to excessive CPU usage due to a
+  backtracking in Gem::Version validation.  See CVE-2013-4287 for full details
+  including vulnerable APIs.  Fixed versions include 2.0.8, 1.8.26 and
+  1.8.23.1 (for Ruby 1.9.3).  Issue #626 by Damir Sharipov.
+
+Bug fixes:
+
+* Fixed editing of a Makefile with 8-bit characters.  Fixes #181
+
 === 1.8.25 / 2013-01-24
 
 * Bug fixes:

data/Rakefile

@@ -107,7 +107,7 @@ task :test => :clean_env
 
 task :prerelease => [:clobber, :check_manifest, :test]
 
-task :postrelease => [:publish_docs, :upload]
+task :postrelease => [:upload]
 
 pkg_dir_path = "pkg/rubygems-update-#{hoe.version}"
 task :package do

data/lib/rubygems.rb

@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = '2.0.11'
+  VERSION = '2.0.12'
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/remote_fetcher.rb

@@ -1,5 +1,6 @@
 require 'rubygems'
 require 'rubygems/user_interaction'
+require 'cgi'
 require 'thread'
 require 'uri'
 require 'resolv'
@@ -321,6 +322,14 @@ class Gem::RemoteFetcher
     response['content-length'].to_i
   end
 
+  def escape_auth_info(str)
+    str && CGI.escape(str)
+  end
+
+  def unescape_auth_info(str)
+    str && CGI.unescape(str)
+  end
+
   def escape(str)
     return unless str
     @uri_parser ||= uri_escaper
@@ -362,8 +371,8 @@ class Gem::RemoteFetcher
 
     if uri and uri.user.nil? and uri.password.nil? then
       # Probably we have http_proxy_* variables?
-      uri.user = escape(ENV['http_proxy_user'] || ENV['HTTP_PROXY_USER'])
-      uri.password = escape(ENV['http_proxy_pass'] || ENV['HTTP_PROXY_PASS'])
+      uri.user = escape_auth_info(ENV['http_proxy_user'] || ENV['HTTP_PROXY_USER'])
+      uri.password = escape_auth_info(ENV['http_proxy_pass'] || ENV['HTTP_PROXY_PASS'])
     end
 
     uri
@@ -387,8 +396,8 @@ class Gem::RemoteFetcher
       net_http_args += [
         @proxy_uri.host,
         @proxy_uri.port,
-        @proxy_uri.user,
-        @proxy_uri.password
+        unescape_auth_info(@proxy_uri.user),
+        unescape_auth_info(@proxy_uri.password)
       ]
     end
 

data/test/rubygems/test_gem_remote_fetcher.rb

@@ -143,6 +143,14 @@ gems:
     assert_equal proxy_uri, fetcher.instance_variable_get(:@proxy_uri)
   end
 
+  def test_escape_auth_info
+    assert_equal 'a%40b%5Cc', @fetcher.escape_auth_info('a@b\c')
+  end
+
+  def test_unescape_auth_info
+    assert_equal 'a@b\c', @fetcher.unescape_auth_info('a%40b%5Cc')
+  end
+
   def test_fetch_size_bad_uri
     fetcher = Gem::RemoteFetcher.new nil
 
@@ -438,7 +446,7 @@ gems:
       uri.user, uri.password = 'domain%5Cuser', 'bar'
       fetcher = Gem::RemoteFetcher.new uri.to_s
       proxy = fetcher.instance_variable_get("@proxy_uri")
-      assert_equal 'domain\user', fetcher.unescape(proxy.user)
+      assert_equal 'domain\user', fetcher.unescape_auth_info(proxy.user)
       assert_equal 'bar', proxy.password
       assert_data_from_proxy fetcher.fetch_path(@server_uri)
     end
@@ -449,7 +457,7 @@ gems:
       fetcher = Gem::RemoteFetcher.new uri.to_s
       proxy = fetcher.instance_variable_get("@proxy_uri")
       assert_equal 'user', proxy.user
-      assert_equal 'my pass', fetcher.unescape(proxy.password)
+      assert_equal 'my pass', fetcher.unescape_auth_info(proxy.password)
       assert_data_from_proxy fetcher.fetch_path(@server_uri)
     end
   end
@@ -472,8 +480,19 @@ gems:
       ENV['http_proxy_pass'] = 'my bar'
       fetcher = Gem::RemoteFetcher.new nil
       proxy = fetcher.instance_variable_get("@proxy_uri")
-      assert_equal 'foo\user', fetcher.unescape(proxy.user)
-      assert_equal 'my bar', fetcher.unescape(proxy.password)
+      assert_equal 'foo\user', fetcher.unescape_auth_info(proxy.user)
+      assert_equal 'my bar', fetcher.unescape_auth_info(proxy.password)
+      assert_data_from_proxy fetcher.fetch_path(@server_uri)
+    end
+
+    use_ui @ui do
+      ENV['http_proxy'] = @proxy_uri
+      ENV['http_proxy_user'] = 'foo@user'
+      ENV['http_proxy_pass'] = 'my@bar'
+      fetcher = Gem::RemoteFetcher.new nil
+      proxy = fetcher.instance_variable_get("@proxy_uri")
+      assert_equal 'foo@user', fetcher.unescape_auth_info(proxy.user)
+      assert_equal 'my@bar', fetcher.unescape_auth_info(proxy.password)
       assert_data_from_proxy fetcher.fetch_path(@server_uri)
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.0.11
+  version: 2.0.12
 platform: ruby
 authors:
 - Jim Weirich
@@ -32,7 +32,7 @@ cert_chain:
   KDyY1VIazVgoC8XvR4h/95/iScPiuglzA+DBG1hip1xScAtw05BrXyUNrc9CEMYU
   wgF94UVoHRp6ywo8I7NP3HcwFQDFNEZPNGXsng==
   -----END CERTIFICATE-----
-date: 2013-10-08 00:00:00.000000000 Z
+date: 2013-10-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -457,7 +457,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: rubygems-update
-rubygems_version: 2.1.5
+rubygems_version: 2.1.7
 signing_key: 
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby