rubygems-update 3.0.0 → 3.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ea50377cd0dc10d97b35b8cb30469ec43cee296cdc017ec49ef7b8869128d8c
-  data.tar.gz: 0e21b6e7dc4bc5fdc11beaa64077b8c3e3f429d3c9b39ecc25354dda2beff52c
+  metadata.gz: 3dcbed60214cfd0ed97ed7fce1d0c9e9a1298a823a26fcd2b75326d711ff299d
+  data.tar.gz: 6dd6fabe834fd5fc81dfa7bb55f874a6d182123a8d0e396fe7dd57cacee5e379
 SHA512:
-  metadata.gz: 66d9e042e9559a895006fc702ad47a6cadfd2525c7bdab0635dbb14ee84e426e44f65380c6c3984a0e71aeaf6fa6d962e1d7391949aeacd2a087401080f71b2f
-  data.tar.gz: 6c803e3b8b719d8df12fda6857654680ecfa6719c35f66559380daaf2c0141ab3f15ea737e285a06389d4d2fe1ae5edc6e5f0c1f22c5c8e7904100df7238ff5f
+  metadata.gz: ef072a34d1765edd4f67b83a19efbc691e2f4c4dac6c8fda9004dbb2a771f550aa7b8a61dd301a477310f9e3987c642c8c49e8d417abd1e4bffbe7dd1a485499
+  data.tar.gz: e30274bbce496312bcb34f45cce2d7f7c2f6916095f67de538ccb9429b197f402d75c9c3090472dea3d2481760632466c20c513890f3d924e671ff4df77b0982

data/.rubocop.yml

@@ -3,6 +3,7 @@ AllCops:
   Exclude:
     - 'bundler/**/*'
     - 'lib/rubygems/resolver/molinillo/**/*'
+    - 'pkg/**/*'
   TargetRubyVersion: 2.3
 
 Layout/AccessModifierIndentation:

data/CODE_OF_CONDUCT.md

@@ -1,10 +1,10 @@
 # Contributor Code of Conduct
 
-### Our Pledge
+## Our Pledge
 
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
 
-### Our Standards
+## Our Standards
 
 Examples of behavior that contributes to creating a positive environment include:
 
@@ -22,22 +22,24 @@ Examples of unacceptable behavior by participants include:
 * Publishing others' private information, such as a physical or electronic address, without explicit permission
 * Other conduct which could reasonably be considered inappropriate in a professional setting
 
-### Our Responsibilities
+## Our Responsibilities
 
 Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
 
 Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
 
-### Scope
+## Scope
 
 This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
 
-### Enforcement
+## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the [project team](MAINTAINERS.txt). All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
 
-### Attribution
+## Attribution
 
-This Code of Conduct is adapted from the Contributor Covenant, version 1.4, available at http://contributor-covenant.org/version/1/4.
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org

data/CONTRIBUTING.md

@@ -37,6 +37,13 @@ To run commands like `gem install` from the repo:
 
     $ ruby -Ilib bin/gem install
 
+To run bundler test:
+
+    $ cd bundler
+    $ git submodule update --init --recursive
+    $ bin/rake spec:deps
+    $ bin/rspec spec
+
 ## Issues
 
 RubyGems uses labels to track all issues and pull requests. In order to

data/History.txt

@@ -1,5 +1,100 @@
 # coding: UTF-8
 
+=== 3.0.4 / 2019-06-14
+
+Minor enhancements:
+
+* Add support for TruffleRuby #2612 by Benoit Daloze
+* Serve a more descriptive error when --no-ri or --no-rdoc are used #2572
+  by Grey Baker
+* Improve test compatibility with CMake 2.8. Pull request #2590 by Vít
+  Ondruch.
+* Restore gem build behavior and introduce the "-C" flag to gem build.
+  Pull request #2596 by Luis Sagastume.
+* Enabled block call with util_set_arch. Pull request #2603 by SHIBATA
+  Hiroshi.
+* Avoid rdoc hook when it's failed to load rdoc library. Pull request
+  #2604 by SHIBATA Hiroshi.
+* Drop tests for legacy RDoc. Pull request #2608 by Nobuyoshi Nakada.
+* Update TODO comment. Pull request #2658 by Luis Sagastume.
+* Skip malicious extension test with mswin platform. Pull request #2670 by
+  SHIBATA Hiroshi.
+* Check deprecated methods on release. Pull request #2673 by David
+  Rodríguez.
+* Add steps to run bundler tests. Pull request #2680 by Aditya Prakash.
+* Skip temporary "No such host is known" error. Pull request #2684 by
+  Takashi Kokubun.
+* Replaced aws-sdk-s3 instead of s3cmd. Pull request #2688 by SHIBATA
+  Hiroshi.
+* Allow uninstall from symlinked GEM_HOME. Pull request #2720 by David
+  Rodríguez.
+* Use current checkout in CI to uninstall RVM related gems. Pull request
+  #2729 by David Rodríguez.
+* Update Contributor Covenant v1.4.1. Pull request #2751 by SHIBATA
+  Hiroshi.
+* Added supported versions of Ruby. Pull request #2756 by SHIBATA Hiroshi.
+* Fix shadowing outer local variable warning. Pull request #2763 by Luis
+  Sagastume.
+* Update the certificate files to make the test pass on Debian 10. Pull
+  request #2777 by Yusuke Endoh.
+* Backport ruby core changes. Pull request #2778 by SHIBATA Hiroshi.
+
+Bug fixes:
+
+* Test_gem.rb - intermittent failure fix. Pull request #2613 by MSP-Greg.
+* Fix sporadic CI failures. Pull request #2617 by David Rodríguez.
+* Fix flaky bundler version finder tests. Pull request #2624 by David
+  Rodríguez.
+* Fix gem indexer tests leaking utility gems. Pull request #2625 by David
+  Rodríguez.
+* Clean up default spec dir too. Pull request #2639 by David Rodríguez.
+* Fix 2.6.1 build against vendored bundler. Pull request #2645 by David
+  Rodríguez.
+* Fix comment typo. Pull request #2664 by Luis Sagastume.
+* Fix comment of Gem::Specification#required_ruby_version=. Pull request
+  #2732 by Alex Junger.
+* Fix TODOs. Pull request #2748 by David Rodríguez.
+
+=== 3.0.3 / 2019-03-05
+
+Security fixes:
+
+* Fixed following vulnerabilities:
+  * CVE-2019-8320: Delete directory using symlink when decompressing tar
+  * CVE-2019-8321: Escape sequence injection vulnerability in `verbose`
+  * CVE-2019-8322: Escape sequence injection vulnerability in `gem owner`
+  * CVE-2019-8323: Escape sequence injection vulnerability in API response handling
+  * CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
+  * CVE-2019-8325: Escape sequence injection vulnerability in errors
+
+=== 3.0.2 / 2019-01-01
+
+Minor enhancements:
+
+* Use Bundler-1.17.3. Pull request #2556 by SHIBATA Hiroshi.
+* Fix document flag description. Pull request #2555 by Luis Sagastume.
+
+Bug fixes:
+
+* Fix tests when ruby --program-suffix is used without rubygems
+  --format-executable. Pull request #2549 by Jeremy Evans.
+* Fix Gem::Requirement equality comparison when ~> operator is used. Pull
+  request #2554 by Grey Baker.
+* Unset SOURCE_DATE_EPOCH in the test cases. Pull request #2558 by Sorah
+  Fukumori.
+* Restore SOURCE_DATE_EPOCH. Pull request #2560 by SHIBATA Hiroshi.
+
+=== 3.0.1 / 2018-12-23
+
+Bug fixes:
+
+* Ensure globbed files paths are expanded. Pull request #2536 by Tony Ta.
+* Dup the Dir.home string before passing it on. Pull request #2545 by
+  Charles Oliver Nutter.
+* Added permissions to installed files for non-owners. Pull request #2546
+  by SHIBATA Hiroshi.
+* Restore release task without hoe. Pull request #2547 by SHIBATA Hiroshi.
+
 === 3.0.0 / 2018-12-19
 
 Major enhancements:

data/README.md

@@ -25,6 +25,12 @@ Finally, inside your Ruby program, load the Nokogiri gem and start parsing your
 
 For more information about how to use RubyGems, see our RubyGems basics guide at [guides.rubygems.org](http://guides.rubygems.org/rubygems-basics/)
 
+## Requirements
+
+* RubyGems 2.6 supports Ruby 2.4 or lower.
+* RubyGems 2.7 supports Ruby 2.5 or lower.
+* RubyGems 3.0 supports Ruby 2.3 or later.
+
 ## Installation
 
 RubyGems is likely already installed in your Ruby environment, you can check by running `gem --version` in your terminal emulator.

data/Rakefile

@@ -79,10 +79,24 @@ end
 # --------------------------------------------------------------------
 # Creating a release
 
-task :prerelease => %w[clobber test bundler:build_metadata]
-
+task :prerelease => %w[clobber test bundler:build_metadata check_deprecations package]
 task :postrelease => %w[bundler:build_metadata:clean upload guides:publish blog:publish]
 
+desc "Check for deprecated methods with expired deprecation horizon"
+task :check_deprecations do
+  if v.segments[1] == 0 && v.segments[2] == 0
+    sh("util/rubocop -r ./util/cops/deprecations --only Rubygems/Deprecations")
+  else
+    puts "Skipping deprecation checks since not releasing a major version."
+  end
+end
+
+desc "Release rubygems-#{v}"
+task :release => :prerelease do
+  sh "gem push pkg/rubygems-update-#{v}.gem"
+end
+Rake::Task["release"].enhance(["postrelease"])
+
 Gem::PackageTask.new(spec) {}
 
 Rake::Task["package"].enhance ["pkg/rubygems-#{v}.tgz", "pkg/rubygems-#{v}.zip"]
@@ -120,7 +134,17 @@ end
 
 desc "Upload release to S3"
 task :upload_to_s3 do
-  sh "s3cmd put -P pkg/rubygems-#{v}.zip pkg/rubygems-#{v}.tgz s3://oregon.production.s3.rubygems.org/rubygems/"
+  begin
+    require "aws-sdk-s3"
+  rescue LoadError
+    abort "Install the aws-sdk-s3 gem to be able to upload gems to rubygems.org."
+  end
+
+  s3 = Aws::S3::Resource.new(region:'us-west-2')
+  %w[zip tgz].each do |ext|
+    obj = s3.bucket('oregon.production.s3.rubygems.org').object("rubygems/rubygems-#{v}.#{ext}")
+    obj.upload_file("pkg/rubygems-#{v}.#{ext}")
+  end
 end
 
 desc "Upload release to rubygems.org"

data/bundler/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 1.17.3 (2018-12-27)
+
+Bugfixes:
+
+ - Fix a Bundler error when installing gems on old versions of RubyGems ([#6839](https://github.com/bundler/bundler/issues/6839), @colby-swandale)
+ - Fix a rare issue where Bundler was removing itself after a `bundle clean` ([#6829](https://github.com/bundler/bundler/issues/6829), @colby-swandale)
+
+Documentation:
+
+  - Add entry for the `bundle remove` command to the main Bundler manual page
+
 ## 1.17.2 (2018-12-11)
 
  - Add compatibility for bundler merge with Ruby 2.6

data/bundler/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2018-12-19".freeze
-    @git_commit_sha = "3fc4de72b".freeze
+    @built_at = "2019-06-14".freeze
+    @git_commit_sha = "d7089abb6".freeze
     @release = false
     # end ivars
 

data/bundler/lib/bundler/rubygems_gem_installer.rb

@@ -10,6 +10,13 @@ module Bundler
       end
     end
 
+    attr_reader :options
+
+    def initialize(gem, options = {})
+      @options = {}
+      super
+    end
+
     def check_executable_overwrite(filename)
       # Bundler needs to install gems regardless of binstub overwriting
     end

data/bundler/lib/bundler/source/metadata.rb

@@ -19,9 +19,8 @@ module Bundler
             # can't point to the actual gemspec or else the require paths will be wrong
             s.loaded_from = File.expand_path("..", __FILE__)
           end
-          if loaded_spec = Bundler.rubygems.loaded_specs("bundler")
-            idx << loaded_spec # this has to come after the fake gemspec, to override it
-          elsif local_spec = Bundler.rubygems.find_name("bundler").find {|s| s.version.to_s == VERSION }
+
+          if local_spec = Bundler.rubygems.find_name("bundler").find {|s| s.version.to_s == VERSION }
             idx << local_spec
           end
 

data/bundler/lib/bundler/version.rb

@@ -7,7 +7,7 @@ module Bundler
   # We're doing this because we might write tests that deal
   # with other versions of bundler and we are unsure how to
   # handle this better.
-  VERSION = "1.17.2" unless defined?(::Bundler::VERSION)
+  VERSION = "1.17.3" unless defined?(::Bundler::VERSION)
 
   def self.overwrite_loaded_gem_version
     begin

data/bundler/man/bundle.ronn

@@ -94,6 +94,9 @@ We divide `bundle` subcommands into primary commands and utilities:
 * [`bundle doctor(1)`](bundle-doctor.1.html):
   Display warnings about common problems
 
+* [`bundle remove(1)`](bundle-remove.1.html):
+  Removes gems from the Gemfile
+
 ## PLUGINS
 
 When running a command that isn't listed in PRIMARY COMMANDS or UTILITIES,

data/lib/rubygems/command_manager.rb

@@ -7,6 +7,7 @@
 
 require 'rubygems/command'
 require 'rubygems/user_interaction'
+require 'rubygems/text'
 
 ##
 # The command manager registers and installs all the individual sub-commands
@@ -32,6 +33,7 @@ require 'rubygems/user_interaction'
 
 class Gem::CommandManager
 
+  include Gem::Text
   include Gem::UserInteraction
 
   BUILTIN_COMMANDS = [ # :nodoc:
@@ -145,12 +147,12 @@ class Gem::CommandManager
   def run(args, build_args=nil)
     process_args(args, build_args)
   rescue StandardError, Timeout::Error => ex
-    alert_error "While executing gem ... (#{ex.class})\n    #{ex}"
+    alert_error clean_text("While executing gem ... (#{ex.class})\n    #{ex}")
     ui.backtrace ex
 
     terminate_interaction(1)
   rescue Interrupt
-    alert_error "Interrupted"
+    alert_error clean_text("Interrupted")
     terminate_interaction(1)
   end
 
@@ -167,8 +169,14 @@ class Gem::CommandManager
     when '-v', '--version' then
       say Gem::VERSION
       terminate_interaction 0
+    when '--no-ri', '--no-rdoc' then
+      # This was added to compensate for a deprecation warning not being shown
+      # in Rubygems 2.x.x.
+      # TODO: Remove when Rubygems 3.1 is released.
+      alert_error "Invalid option: #{args.first}. Use --no-document instead."
+      terminate_interaction 1
     when /^-/ then
-      alert_error "Invalid option: #{args.first}. See 'gem --help'."
+      alert_error clean_text("Invalid option: #{args.first}. See 'gem --help'.")
       terminate_interaction 1
     else
       cmd_name = args.shift.downcase
@@ -224,7 +232,7 @@ class Gem::CommandManager
     rescue Exception => e
       e = load_error if load_error
 
-      alert_error "Loading command: #{command_name} (#{e.class})\n\t#{e}"
+      alert_error clean_text("Loading command: #{command_name} (#{e.class})\n\t#{e}")
       ui.backtrace e
     end
   end

data/lib/rubygems/commands/build_command.rb

@@ -18,6 +18,10 @@ class Gem::Commands::BuildCommand < Gem::Command
     add_option '-o', '--output FILE', 'output gem with the given filename' do |value, options|
       options[:output] = value
     end
+
+    add_option '-C PATH', '', 'Run as if gem build was started in <PATH> instead of the current working directory.' do |value, options|
+      options[:build_path] = value
+    end
   end
 
   def arguments # :nodoc:
@@ -60,25 +64,36 @@ Gems can be saved to a specified filename with the output option:
     end
 
     if File.exist? gemspec
-      Dir.chdir(File.dirname(gemspec)) do
-        spec = Gem::Specification.load File.basename(gemspec)
-
-        if spec
-          Gem::Package.build(
-            spec,
-            options[:force],
-            options[:strict],
-            options[:output]
-          )
-        else
-          alert_error "Error loading gemspec. Aborting."
-          terminate_interaction 1
+      spec = Gem::Specification.load(gemspec)
+
+      if options[:build_path]
+        Dir.chdir(File.dirname(gemspec)) do
+          spec = Gem::Specification.load File.basename(gemspec)
+          build_package(spec)
         end
+      else
+        build_package(spec)
       end
+
     else
       alert_error "Gemspec file not found: #{gemspec}"
       terminate_interaction 1
     end
   end
 
+  private
+
+  def build_package(spec)
+    if spec
+      Gem::Package.build(
+        spec,
+        options[:force],
+        options[:strict],
+        options[:output]
+      )
+    else
+      alert_error "Error loading gemspec. Aborting."
+      terminate_interaction 1
+    end
+  end
 end

data/lib/rubygems/commands/owner_command.rb

@@ -2,8 +2,11 @@
 require 'rubygems/command'
 require 'rubygems/local_remote_options'
 require 'rubygems/gemcutter_utilities'
+require 'rubygems/text'
 
 class Gem::Commands::OwnerCommand < Gem::Command
+
+  include Gem::Text
   include Gem::LocalRemoteOptions
   include Gem::GemcutterUtilities
 
@@ -60,12 +63,14 @@ permission to.
   end
 
   def show_owners(name)
+    Gem.load_yaml
+
     response = rubygems_api_request :get, "api/v1/gems/#{name}/owners.yaml" do |request|
       request.add_field "Authorization", api_key
     end
 
     with_response response do |resp|
-      owners = Gem::SafeYAML.load resp.body
+      owners = Gem::SafeYAML.load clean_text(resp.body)
 
       say "Owners for gem: #{name}"
       owners.each do |owner|

data/lib/rubygems/commands/setup_command.rb

@@ -312,7 +312,7 @@ By default, this RubyGems will install gem as:
     dest_file = File.join dest_dir, file
     dest_dir = File.dirname dest_file
     unless File.directory? dest_dir
-      mkdir_p dest_dir, :mode => 0700
+      mkdir_p dest_dir, :mode => 0755
     end
 
     install file, dest_file, :mode => options[:data_mode] || 0644
@@ -387,7 +387,7 @@ By default, this RubyGems will install gem as:
 
     specs_dir = Gem::Specification.default_specifications_dir
     specs_dir = File.join(options[:destdir], specs_dir) unless Gem.win_platform?
-    mkdir_p specs_dir, :mode => 0700
+    mkdir_p specs_dir, :mode => 0755
 
     # Workaround for non-git environment.
     gemspec = File.open('bundler/bundler.gemspec', 'rb'){|f| f.read.gsub(/`git ls-files -z`/, "''") }
@@ -422,7 +422,7 @@ By default, this RubyGems will install gem as:
 
     bundler_bin_dir = bundler_spec.bin_dir
     bundler_bin_dir = File.join(options[:destdir], bundler_bin_dir) unless Gem.win_platform?
-    mkdir_p bundler_bin_dir, :mode => 0700
+    mkdir_p bundler_bin_dir, :mode => 0755
     bundler_spec.executables.each do |e|
       cp File.join("bundler", bundler_spec.bindir, e), File.join(bundler_bin_dir, e)
     end
@@ -446,8 +446,8 @@ By default, this RubyGems will install gem as:
       lib_dir, bin_dir = generate_default_dirs(install_destdir)
     end
 
-    mkdir_p lib_dir, :mode => 0700
-    mkdir_p bin_dir, :mode => 0700
+    mkdir_p lib_dir, :mode => 0755
+    mkdir_p bin_dir, :mode => 0755
 
     return lib_dir, bin_dir
   end

data/lib/rubygems/dependency_list.rb

@@ -134,7 +134,7 @@ class Gem::DependencyList
   end
 
   ##
-  # Is is ok to remove a gemspec from the dependency list?
+  # It is ok to remove a gemspec from the dependency list?
   #
   # If removing the gemspec creates breaks a currently ok dependency, then it
   # is NOT ok to remove the gemspec.

data/lib/rubygems/gemcutter_utilities.rb

@@ -1,11 +1,14 @@
 # frozen_string_literal: true
 require 'rubygems/remote_fetcher'
+require 'rubygems/text'
 
 ##
 # Utility methods for using the RubyGems API.
 
 module Gem::GemcutterUtilities
 
+  include Gem::Text
+
   # TODO: move to Gem::Command
   OptionParser.accept Symbol do |value|
     value.to_sym
@@ -162,13 +165,13 @@ module Gem::GemcutterUtilities
       if block_given?
         yield response
       else
-        say response.body
+        say clean_text(response.body)
       end
     else
       message = response.body
       message = "#{error_prefix}: #{message}" if error_prefix
 
-      say message
+      say clean_text(message)
       terminate_interaction 1 # TODO: question this
     end
   end

data/lib/rubygems/install_update_options.rb

@@ -30,7 +30,7 @@ module Gem::InstallUpdateOptions
       options[:bin_dir] = File.expand_path(value)
     end
 
-    add_option(:"Install/Update",       '--[no-]document [TYPES]', Array,
+    add_option(:"Install/Update",       '--document [TYPES]', Array,
                'Generate documentation for installed gems',
                'List the documentation types you wish to',
                'generate.  For example: rdoc,ri') do |value, options|

data/lib/rubygems/installer.rb

@@ -309,7 +309,7 @@ class Gem::Installer
     FileUtils.rm_rf spec.extension_dir
 
     dir_mode = options[:dir_mode]
-    FileUtils.mkdir_p gem_dir, :mode => dir_mode && 0700
+    FileUtils.mkdir_p gem_dir, :mode => dir_mode && 0755
 
     if @options[:install_as_default]
       extract_bin
@@ -481,7 +481,7 @@ class Gem::Installer
     return if spec.executables.nil? or spec.executables.empty?
 
     begin
-      Dir.mkdir @bin_dir, *[options[:dir_mode] && 0700].compact
+      Dir.mkdir @bin_dir, *[options[:dir_mode] && 0755].compact
     rescue SystemCallError
       raise unless File.directory? @bin_dir
     end
@@ -525,7 +525,7 @@ class Gem::Installer
 
     FileUtils.rm_f bin_script_path # prior install may have been --no-wrappers
 
-    File.open bin_script_path, 'wb', 0700 do |file|
+    File.open bin_script_path, 'wb', 0755 do |file|
       file.print app_script_text(filename)
       file.chmod(options[:prog_mode] || 0755)
     end
@@ -720,14 +720,31 @@ class Gem::Installer
   end
 
   def verify_gem_home(unpack = false) # :nodoc:
-    FileUtils.mkdir_p gem_home, :mode => options[:dir_mode] && 0700
+    FileUtils.mkdir_p gem_home, :mode => options[:dir_mode] && 0755
     raise Gem::FilePermissionError, gem_home unless
       unpack or File.writable?(gem_home)
   end
 
-  def verify_spec_name
-    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
-    raise Gem::InstallError, "#{spec} has an invalid name"
+  def verify_spec
+    unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+      raise Gem::InstallError, "#{spec} has an invalid name"
+    end
+
+    if spec.raw_require_paths.any?{|path| path =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid require_paths"
+    end
+
+    if spec.extensions.any?{|ext| ext =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid extensions"
+    end
+
+    unless spec.specification_version.to_s =~ /\A\d+\z/
+      raise Gem::InstallError, "#{spec} has an invalid specification_version"
+    end
+
+    if spec.dependencies.any? {|dep| dep.type =~ /\R/ || dep.name =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid dependencies"
+    end
   end
 
   ##
@@ -876,9 +893,11 @@ TEXT
   def pre_install_checks
     verify_gem_home options[:unpack]
 
-    ensure_loadable_spec
+    # The name and require_paths must be verified first, since it could contain
+    # ruby code that would be eval'ed in #ensure_loadable_spec
+    verify_spec
 
-    verify_spec_name
+    ensure_loadable_spec
 
     if options[:install_as_default]
       Gem.ensure_default_gem_subdirectories gem_home
@@ -905,7 +924,7 @@ TEXT
     build_info_dir = File.join gem_home, 'build_info'
 
     dir_mode = options[:dir_mode]
-    FileUtils.mkdir_p build_info_dir, :mode => dir_mode && 0700
+    FileUtils.mkdir_p build_info_dir, :mode => dir_mode && 0755
 
     build_info_file = File.join build_info_dir, "#{spec.full_name}.info"
 

data/lib/rubygems/package/old.rb

@@ -78,7 +78,7 @@ class Gem::Package::Old < Gem::Package
 
         FileUtils.rm_rf destination
 
-        FileUtils.mkdir_p File.dirname(destination), :mode => dir_mode && 0700
+        FileUtils.mkdir_p File.dirname(destination), :mode => dir_mode && 0755
 
         File.open destination, 'wb', file_mode(entry['mode']) do |out|
           out.write file_data