rubygems-update 2.0.15 → 2.0.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b4775dabfae0ef7de44b6438d76446a7880ca4c6
-  data.tar.gz: 510bd734392de9ffac798d6fed2f6f172a89277a
+  metadata.gz: a73bcbd4fbbd72da068f225bc86a61ba6e7ee981
+  data.tar.gz: ab58dc5df51e0735110298073c0780cd855c5d99
 SHA512:
-  metadata.gz: ed05c2af4e670d615e46e646546b6d1621c81d933bac9bd28e3f9203b9c7cfbc04f8f0b88b309349395d76ee642751a212bd28a13b89fb96c8b0b745adf578d0
-  data.tar.gz: 36124f17c87851fe53e8e97a3675c5371d9889685789f44f8a691ce656fb2ff9db874bd879dd55786159d27ebe21cfd54225e04e9cab3b4ba9dfe44cdb2821ba
+  metadata.gz: 40308a04d1211aef0db6578595838f31c9649bef3e1ccabbbf9ddebfbcce5f61401d6986465f7055b7c821f3330ddd351d06962f1b50d0a567843e11218438bc
+  data.tar.gz: 9c265d4e0c4093e4e44ee0e4e676b3db15ae28fff711e5ffc650fca99eb707f7cb8f49040080b901b2ba4ba3ea16df43f9008ef3caec8fbc9c745d5adefc1b77

data/History.txt

@@ -1,5 +1,12 @@
 # coding: UTF-8
 
+=== 2.0.16 / 2015-05-14
+
+Bug fixes:
+
+* Backport: Limit API endpoint to original security domain for CVE-2015-3900.
+  Fix by claudijd
+
 === 2.0.15 / 2014-12-21
 
 Bug fixes:

data/lib/rubygems.rb

@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = '2.0.15'
+  VERSION = '2.0.16'
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/remote_fetcher.rb

@@ -103,7 +103,13 @@ class Gem::RemoteFetcher
     rescue Resolv::ResolvError
       uri
     else
-      URI.parse "#{res.target}#{uri.path}"
+      target = res.target.to_s.strip
+
+      if /#{host}\z/ =~ target
+        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+      end
+
+      uri
     end
   end
 

data/test/rubygems/test_gem_remote_fetcher.rb

@@ -177,15 +177,30 @@ gems:
   end
 
   def test_api_endpoint
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "gems.example.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values
     uri = URI.parse "http://gems.example.com/foo"
     target = MiniTest::Mock.new
-    target.expect :target, "http://blah.com"
+    target.expect :target, "blah.com"
 
     dns = MiniTest::Mock.new
     dns.expect :getresource, target, [String, Object]
 
     fetch = Gem::RemoteFetcher.new nil, dns
-    assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
 
     target.verify
     dns.verify

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.0.15
+  version: 2.0.16
 platform: ruby
 authors:
 - Jim Weirich
@@ -10,90 +10,104 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-21 00:00:00.000000000 Z
+date: 2015-05-14 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '5.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '5.4'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '4.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '4.0'
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.1'
 - !ruby/object:Gem::Dependency
   name: hoe-seattlerb
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.2'
 - !ruby/object:Gem::Dependency
   name: ZenTest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '4.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '4.5'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.9.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.9.3
 - !ruby/object:Gem::Dependency
   name: hoe
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '3.13'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '3.13'
 description: |-
@@ -137,9 +151,9 @@ extra_rdoc_files:
 - UPGRADING.rdoc
 - hide_lib_for_update/note.txt
 files:
-- ".autotest"
-- ".document"
-- ".gemtest"
+- .autotest
+- .document
+- .gemtest
 - CVE-2013-4287.txt
 - CVE-2013-4363.txt
 - History.txt
@@ -407,113 +421,25 @@ licenses:
 metadata: {}
 post_install_message: 
 rdoc_options:
-- "--main"
+- --main
 - README.rdoc
-- "--title=RubyGems Update Documentation"
+- --title=RubyGems Update Documentation
 require_paths:
 - hide_lib_for_update
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.2
 signing_key: 
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby
-test_files:
-- test/rubygems/test_bundled_ca.rb
-- test/rubygems/test_config.rb
-- test/rubygems/test_deprecate.rb
-- test/rubygems/test_gem.rb
-- test/rubygems/test_gem_available_set.rb
-- test/rubygems/test_gem_command.rb
-- test/rubygems/test_gem_command_manager.rb
-- test/rubygems/test_gem_commands_build_command.rb
-- test/rubygems/test_gem_commands_cert_command.rb
-- test/rubygems/test_gem_commands_check_command.rb
-- test/rubygems/test_gem_commands_cleanup_command.rb
-- test/rubygems/test_gem_commands_contents_command.rb
-- test/rubygems/test_gem_commands_dependency_command.rb
-- test/rubygems/test_gem_commands_environment_command.rb
-- test/rubygems/test_gem_commands_fetch_command.rb
-- test/rubygems/test_gem_commands_generate_index_command.rb
-- test/rubygems/test_gem_commands_help_command.rb
-- test/rubygems/test_gem_commands_install_command.rb
-- test/rubygems/test_gem_commands_list_command.rb
-- test/rubygems/test_gem_commands_lock_command.rb
-- test/rubygems/test_gem_commands_mirror.rb
-- test/rubygems/test_gem_commands_outdated_command.rb
-- test/rubygems/test_gem_commands_owner_command.rb
-- test/rubygems/test_gem_commands_pristine_command.rb
-- test/rubygems/test_gem_commands_push_command.rb
-- test/rubygems/test_gem_commands_query_command.rb
-- test/rubygems/test_gem_commands_search_command.rb
-- test/rubygems/test_gem_commands_server_command.rb
-- test/rubygems/test_gem_commands_setup_command.rb
-- test/rubygems/test_gem_commands_sources_command.rb
-- test/rubygems/test_gem_commands_specification_command.rb
-- test/rubygems/test_gem_commands_stale_command.rb
-- test/rubygems/test_gem_commands_uninstall_command.rb
-- test/rubygems/test_gem_commands_unpack_command.rb
-- test/rubygems/test_gem_commands_update_command.rb
-- test/rubygems/test_gem_commands_which_command.rb
-- test/rubygems/test_gem_commands_yank_command.rb
-- test/rubygems/test_gem_config_file.rb
-- test/rubygems/test_gem_dependency.rb
-- test/rubygems/test_gem_dependency_installer.rb
-- test/rubygems/test_gem_dependency_list.rb
-- test/rubygems/test_gem_dependency_resolver.rb
-- test/rubygems/test_gem_doctor.rb
-- test/rubygems/test_gem_ext_builder.rb
-- test/rubygems/test_gem_ext_cmake_builder.rb
-- test/rubygems/test_gem_ext_configure_builder.rb
-- test/rubygems/test_gem_ext_ext_conf_builder.rb
-- test/rubygems/test_gem_ext_rake_builder.rb
-- test/rubygems/test_gem_gem_runner.rb
-- test/rubygems/test_gem_gemcutter_utilities.rb
-- test/rubygems/test_gem_indexer.rb
-- test/rubygems/test_gem_install_update_options.rb
-- test/rubygems/test_gem_installer.rb
-- test/rubygems/test_gem_local_remote_options.rb
-- test/rubygems/test_gem_name_tuple.rb
-- test/rubygems/test_gem_package.rb
-- test/rubygems/test_gem_package_old.rb
-- test/rubygems/test_gem_package_tar_header.rb
-- test/rubygems/test_gem_package_tar_reader.rb
-- test/rubygems/test_gem_package_tar_reader_entry.rb
-- test/rubygems/test_gem_package_tar_writer.rb
-- test/rubygems/test_gem_package_task.rb
-- test/rubygems/test_gem_path_support.rb
-- test/rubygems/test_gem_platform.rb
-- test/rubygems/test_gem_rdoc.rb
-- test/rubygems/test_gem_remote_fetcher.rb
-- test/rubygems/test_gem_request_set.rb
-- test/rubygems/test_gem_requirement.rb
-- test/rubygems/test_gem_security.rb
-- test/rubygems/test_gem_security_policy.rb
-- test/rubygems/test_gem_security_signer.rb
-- test/rubygems/test_gem_security_trust_dir.rb
-- test/rubygems/test_gem_server.rb
-- test/rubygems/test_gem_silent_ui.rb
-- test/rubygems/test_gem_source.rb
-- test/rubygems/test_gem_source_list.rb
-- test/rubygems/test_gem_source_local.rb
-- test/rubygems/test_gem_source_specific_file.rb
-- test/rubygems/test_gem_spec_fetcher.rb
-- test/rubygems/test_gem_specification.rb
-- test/rubygems/test_gem_stream_ui.rb
-- test/rubygems/test_gem_text.rb
-- test/rubygems/test_gem_uninstaller.rb
-- test/rubygems/test_gem_validator.rb
-- test/rubygems/test_gem_version.rb
-- test/rubygems/test_gem_version_option.rb
-- test/rubygems/test_kernel.rb
-- test/rubygems/test_require.rb
+test_files: []