rubygems-update 1.8.9 → 1.8.10

data/History.txt

@@ -1,5 +1,22 @@
 # coding: UTF-8
 
+=== 1.8.10 / 2011-08-25
+
+RubyGems 1.8.10 contains a security fix that prevents malicious gems from
+executing code when their specification is loaded.  See
+https://github.com/rubygems/rubygems/pull/165 for details.
+
+* 5 bug fixes:
+
+  * RubyGems escapes strings in ruby-format specs using #dump instead of #to_s
+    and %q to prevent code injection.  Issue #165 by Postmodern
+  * RubyGems attempt to activate the psych gem now to obtain bugfixes from
+    psych.
+  * Gem.dir has been restored to the front of Gem.path.  Fixes remaining
+    problem with Issue #115
+  * Fixed Syck DefaultKey infecting ruby-format specifications.
+  * `gem uninstall a b` no longer stops if gem "a" is not installed.
+
 === 1.8.9 / 2011-08-23
 
 * Bug fixes:

data/lib/rubygems.rb

@@ -118,7 +118,7 @@ require "rubygems/deprecate"
 # -The RubyGems Team
 
 module Gem
-  VERSION = '1.8.9'
+  VERSION = '1.8.10'
 
   ##
   # Raised when RubyGems is unable to load or activate a gem.  Contains the
@@ -644,7 +644,15 @@ module Gem
 
   def self.load_yaml
     begin
-      require 'psych'
+      gem 'psych', '~> 1.2', '>= 1.2.1' unless ENV['TEST_SYCK']
+    rescue Gem::LoadError
+      # It's OK if the user does not have the psych gem installed.  We will
+      # attempt to require the stdlib version
+    end
+
+    begin
+      # Try requiring the gem version *or* stdlib version of psych.
+      require 'psych' unless ENV['TEST_SYCK']
     rescue ::LoadError
     ensure
       require 'yaml'

data/lib/rubygems/commands/uninstall_command.rb

@@ -78,6 +78,8 @@ class Gem::Commands::UninstallCommand < Gem::Command
     get_all_gem_names.each do |gem_name|
       begin
         Gem::Uninstaller.new(gem_name, options).uninstall
+      rescue Gem::InstallError => e
+        alert e.message
       rescue Gem::GemNotInHomeException => e
         spec = e.spec
         alert("In order to remove #{spec.name}, please execute:\n" \

data/lib/rubygems/path_support.rb

@@ -1,5 +1,4 @@
 ##
-#
 # Gem::PathSupport facilitates the GEM_HOME and GEM_PATH environment settings
 # to the rest of RubyGems.
 #
@@ -43,18 +42,16 @@ class Gem::PathSupport
   # Set the Gem search path (as reported by Gem.path).
 
   def path=(gpaths)
-    # FIX: it should be [home, *path], not [*path, home]
-
-    gem_path = []
+    gem_path = [@home]
 
     # FIX: I can't tell wtf this is doing.
     gpaths ||= (ENV['GEM_PATH'] || "").empty? ? nil : ENV["GEM_PATH"]
 
-    if gpaths
-      if gpaths.kind_of?(Array)
-        gem_path = gpaths.dup
+    if gpaths then
+      if gpaths.kind_of?(Array) then
+        gem_path.push(*gpaths)
       else
-        gem_path = gpaths.split(File::PATH_SEPARATOR)
+        gem_path.push(*gpaths.split(File::PATH_SEPARATOR))
       end
 
       if File::ALT_SEPARATOR then
@@ -62,14 +59,10 @@ class Gem::PathSupport
           this_path.gsub File::ALT_SEPARATOR, File::SEPARATOR
         end
       end
-
-      gem_path << @home
     else
-      gem_path = Gem.default_path + [@home]
+      gem_path.push(*Gem.default_path)
 
-      if defined?(APPLE_GEM_HOME)
-        gem_path << APPLE_GEM_HOME
-      end
+      gem_path << APPLE_GEM_HOME if defined?(APPLE_GEM_HOME)
     end
 
     @path = gem_path.uniq

data/lib/rubygems/requirement.rb

@@ -16,6 +16,9 @@ module YAML
   if !defined? Syck
     module Syck
       class DefaultKey
+        def to_s
+          '='
+        end
       end
     end
   end

data/lib/rubygems/specification.rb

@@ -1459,7 +1459,7 @@ class Gem::Specification
     # TODO: do we need these?? Kill it
     glob = File.join(self.lib_dirs_glob, glob)
 
-    Dir[glob].map { |f| f.untaint } # FIX our tests are brokey, run w/ SAFE=1
+    Dir[glob].map { |f| f.untaint } # FIX our tests are broken, run w/ SAFE=1
   end
 
   ##
@@ -1690,11 +1690,11 @@ class Gem::Specification
 
   def ruby_code(obj)
     case obj
-    when String            then '%q{' + obj + '}'
+    when String            then obj.dump
     when Array             then '[' + obj.map { |x| ruby_code x }.join(", ") + ']'
-    when Gem::Version      then obj.to_s.inspect
-    when Date              then '%q{' + obj.strftime('%Y-%m-%d') + '}'
-    when Time              then '%q{' + obj.strftime('%Y-%m-%d') + '}'
+    when Gem::Version      then obj.to_s.dump
+    when Date              then obj.strftime('%Y-%m-%d').dump
+    when Time              then obj.strftime('%Y-%m-%d').dump
     when Numeric           then obj.inspect
     when true, false, nil  then obj.inspect
     when Gem::Platform     then "Gem::Platform.new(#{obj.to_a.inspect})"

data/test/rubygems/test_gem.rb

@@ -733,7 +733,7 @@ class TestGem < Gem::TestCase
 
     Gem.instance_variable_set :@paths, nil
 
-    assert_equal [Gem.default_path, Gem.dir].flatten.uniq, Gem.path
+    assert_equal [Gem.dir, *Gem.default_path].uniq, Gem.path
   ensure
     Object.const_set :APPLE_GEM_HOME, orig_APPLE_GEM_HOME if orig_APPLE_GEM_HOME
   end
@@ -772,11 +772,10 @@ class TestGem < Gem::TestCase
 
     ENV['GEM_PATH'] = @additional.join(File::PATH_SEPARATOR)
 
-    assert_equal @additional, Gem.path[0,2]
+    assert_equal [Gem.dir, *@additional], Gem.path
 
     assert_equal path_count + @additional.size, Gem.path.size,
                  "extra path components: #{Gem.path[2..-1].inspect}"
-    assert_equal Gem.dir, Gem.path.last
   end
 
   def test_self_path_duplicate
@@ -789,8 +788,7 @@ class TestGem < Gem::TestCase
 
     assert_equal @gemhome, Gem.dir
 
-    paths = [Gem.dir]
-    assert_equal @additional + paths, Gem.path
+    assert_equal [Gem.dir, *@additional], Gem.path
   end
 
   def test_self_path_overlap
@@ -802,8 +800,7 @@ class TestGem < Gem::TestCase
 
     assert_equal @gemhome, Gem.dir
 
-    paths = [Gem.dir]
-    assert_equal @additional + paths, Gem.path
+    assert_equal [Gem.dir, *@additional], Gem.path
   end
 
   def test_self_platforms
@@ -923,7 +920,7 @@ class TestGem < Gem::TestCase
     ENV["GEM_HOME"] = @gemhome
     Gem.paths = { "GEM_PATH" => path }
 
-    assert_equal [@userhome, other, @gemhome], Gem.path
+    assert_equal [@gemhome, @userhome, other], Gem.path
   end
 
   def test_self_paths_eq_nonexistent_home
@@ -936,7 +933,7 @@ class TestGem < Gem::TestCase
 
     Gem.paths = { "GEM_PATH" => other }
 
-    assert_equal [other, @gemhome], Gem.path
+    assert_equal [@gemhome, other], Gem.path
   end
 
   def test_self_source_index
@@ -983,7 +980,7 @@ class TestGem < Gem::TestCase
     Gem.use_paths @gemhome, @additional
 
     assert_equal @gemhome, Gem.dir
-    assert_equal @additional + [Gem.dir], Gem.path
+    assert_equal [Gem.dir, *@additional], Gem.path
   end
 
   def test_self_user_dir

data/test/rubygems/test_gem_commands_specification_command.rb

@@ -135,7 +135,7 @@ class TestGemCommandsSpecificationCommand < Gem::TestCase
     end
 
     assert_match %r|Gem::Specification.new|, @ui.output
-    assert_match %r|s.name = %q\{foo\}|, @ui.output
+    assert_match %r|s.name = "foo"|, @ui.output
     assert_equal '', @ui.error
   end
 

data/test/rubygems/test_gem_commands_uninstall_command.rb

@@ -45,6 +45,19 @@ class TestGemCommandsUninstallCommand < Gem::InstallerTestCase
     assert_includes output, "Successfully uninstalled #{@other.full_name}"
   end
 
+  def test_execute_mulitple_nonexistent
+    @cmd.options[:args] = %w[x y]
+
+    use_ui @ui do
+      @cmd.execute
+    end
+
+    output = @ui.output.split "\n"
+
+    assert_includes output, 'INFO:  gem "x" is not installed'
+    assert_includes output, 'INFO:  gem "y" is not installed'
+  end
+
   def test_execute_removes_executable
     ui = Gem::MockGemUi.new
     util_setup_gem ui

data/test/rubygems/test_gem_gem_runner.rb

@@ -25,7 +25,7 @@ class TestGemGemRunner < Gem::TestCase
     gr = Gem::GemRunner.new
     gr.send :do_configuration, %W[--config-file #{temp_conf}]
 
-    assert_equal [other_gem_path, other_gem_home], Gem.path
+    assert_equal [other_gem_home, other_gem_path], Gem.path
     assert_equal %w[--commands], Gem::Command.extra_args
     assert_equal %w[--all], Gem::DocManager.configured_args
   end

data/test/rubygems/test_gem_path_support.rb

@@ -22,10 +22,10 @@ class TestGemPathSupport < Gem::TestCase
   def test_initialize_home
     ps = Gem::PathSupport.new "GEM_HOME" => "#{@tempdir}/foo"
 
-    assert_equal File.join(@tempdir, "foo"), ps.home
+    expected = File.join(@tempdir, "foo")
+    assert_equal expected, ps.home
 
-    expected = util_path + [File.join(@tempdir, 'foo')]
-    assert_equal expected, ps.path
+    assert_equal [expected, *util_path], ps.path
   end
 
   if defined?(File::ALT_SEPARATOR) and File::ALT_SEPARATOR
@@ -43,9 +43,9 @@ class TestGemPathSupport < Gem::TestCase
     assert_equal ENV["GEM_HOME"], ps.home
 
     expected = [
+                ENV["GEM_HOME"],
                 File.join(@tempdir, 'foo'),
                 File.join(@tempdir, 'bar'),
-                ENV["GEM_HOME"],
                ]
 
     assert_equal expected, ps.path
@@ -61,6 +61,32 @@ class TestGemPathSupport < Gem::TestCase
     assert_equal expected, ps.path
   end
 
+  def test_path_equals
+    ps = Gem::PathSupport.new
+
+    ps.send :path=, ['a', 'b']
+
+    assert_equal [@tempdir, 'a', 'b'], ps.path
+  end
+
+  def test_path_equals_empty
+    ps = Gem::PathSupport.new
+
+    ps.send :path=, nil
+
+    assert_equal [@tempdir, 'something'], ps.path
+  end
+
+  def test_path_equals_empty_no_GEM_PATH
+    ENV.delete 'GEM_PATH'
+
+    ps = Gem::PathSupport.new
+
+    ps.send :path=, nil
+
+    assert_equal [@tempdir, *Gem.default_path], ps.path
+  end
+
   def util_path
     ENV["GEM_PATH"].split(File::PATH_SEPARATOR)
   end

data/test/rubygems/test_gem_specification.rb

@@ -114,7 +114,7 @@ end
     assert_equal @current_version, new_spec.specification_version
   end
 
-  def test_self_from_yaml_syck_bug
+  def test_self_from_yaml_syck_date_bug
     # This is equivalent to (and totally valid) psych 1.0 output and
     # causes parse errors on syck.
     yaml = @a1.to_yaml
@@ -128,6 +128,41 @@ end
     assert_kind_of Time, new_spec.date
   end
 
+  def test_self_from_yaml_syck_default_key_bug
+    skip 'syck default_key bug is only for ruby 1.8' unless RUBY_VERSION < '1.9'
+    # This is equivalent to (and totally valid) psych 1.0 output and
+    # causes parse errors on syck.
+    yaml = <<-YAML
+--- !ruby/object:Gem::Specification
+name: posix-spawn
+version: !ruby/object:Gem::Version
+  version: 0.3.6
+  prerelease: 
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: &70243867725240 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - =
+      - !ruby/object:Gem::Version
+        version: 0.7.6
+  type: :development
+  prerelease: false
+  version_requirements: *70243867725240
+platform: ruby
+files: []
+test_files: []
+bindir:
+    YAML
+
+    new_spec = with_syck do
+      Gem::Specification.from_yaml yaml
+    end
+
+    refute_match %r%DefaultKey%, new_spec.to_ruby
+  end
+
   def test_self_load
     full_path = @a2.spec_file
     write_file full_path do |io|
@@ -141,6 +176,51 @@ end
     assert_equal @a2, spec
   end
 
+  def test_self_load_escape_curly
+    @a2.name = 'a};raise "improper escaping";%q{'
+
+    full_path = @a2.spec_file
+    write_file full_path do |io|
+      io.write @a2.to_ruby_for_cache
+    end
+
+    spec = Gem::Specification.load full_path
+
+    @a2.files.clear
+
+    assert_equal @a2, spec
+  end
+
+  def test_self_load_escape_interpolation
+    @a2.name = 'a#{raise %<improper escaping>}'
+
+    full_path = @a2.spec_file
+    write_file full_path do |io|
+      io.write @a2.to_ruby_for_cache
+    end
+
+    spec = Gem::Specification.load full_path
+
+    @a2.files.clear
+
+    assert_equal @a2, spec
+  end
+
+  def test_self_load_escape_quote
+    @a2.name = 'a";raise "improper escaping";"'
+
+    full_path = @a2.spec_file
+    write_file full_path do |io|
+      io.write @a2.to_ruby_for_cache
+    end
+
+    spec = Gem::Specification.load full_path
+
+    @a2.files.clear
+
+    assert_equal @a2, spec
+  end
+
   def test_self_load_legacy_ruby
     spec = Deprecate.skip_during do
       eval LEGACY_RUBY_SPEC
@@ -754,19 +834,19 @@ end
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = %q{a}
-  s.version = \"2\"
+  s.name = "a"
+  s.version = "2"
 
   s.required_rubygems_version = Gem::Requirement.new(\"> 0\") if s.respond_to? :required_rubygems_version=
-  s.authors = [%q{A User}]
-  s.date = %q{#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}}
-  s.description = %q{This is a test description}
-  s.email = %q{example@example.com}
-  s.files = [%q{lib/code.rb}]
-  s.homepage = %q{http://example.com}
-  s.require_paths = [%q{lib}]
-  s.rubygems_version = %q{#{Gem::VERSION}}
-  s.summary = %q{this is a summary}
+  s.authors = ["A User"]
+  s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}"
+  s.description = "This is a test description"
+  s.email = "example@example.com"
+  s.files = ["lib/code.rb"]
+  s.homepage = "http://example.com"
+  s.require_paths = ["lib"]
+  s.rubygems_version = "#{Gem::VERSION}"
+  s.summary = "this is a summary"
 
   if s.respond_to? :specification_version then
     s.specification_version = #{Gem::Specification::CURRENT_SPECIFICATION_VERSION}
@@ -801,18 +881,18 @@ end
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = %q{a}
-  s.version = \"2\"
+  s.name = "a"
+  s.version = "2"
 
   s.required_rubygems_version = Gem::Requirement.new(\"> 0\") if s.respond_to? :required_rubygems_version=
-  s.authors = [%q{A User}]
-  s.date = %q{#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}}
-  s.description = %q{This is a test description}
-  s.email = %q{example@example.com}
-  s.homepage = %q{http://example.com}
-  s.require_paths = [%q{lib}]
-  s.rubygems_version = %q{#{Gem::VERSION}}
-  s.summary = %q{this is a summary}
+  s.authors = ["A User"]
+  s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}"
+  s.description = "This is a test description"
+  s.email = "example@example.com"
+  s.homepage = "http://example.com"
+  s.require_paths = ["lib"]
+  s.rubygems_version = "#{Gem::VERSION}"
+  s.summary = "this is a summary"
 
   if s.respond_to? :specification_version then
     s.specification_version = #{Gem::Specification::CURRENT_SPECIFICATION_VERSION}
@@ -848,26 +928,26 @@ end
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = %q{a}
-  s.version = \"1\"
+  s.name = "a"
+  s.version = "1"
   s.platform = Gem::Platform.new(#{expected_platform})
 
   s.required_rubygems_version = Gem::Requirement.new(\">= 0\") if s.respond_to? :required_rubygems_version=
-  s.authors = [%q{A User}]
-  s.date = %q{#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}}
-  s.description = %q{This is a test description}
-  s.email = %q{example@example.com}
-  s.executables = [%q{exec}]
-  s.extensions = [%q{ext/a/extconf.rb}]
-  s.files = [%q{lib/code.rb}, %q{test/suite.rb}, %q{bin/exec}, %q{ext/a/extconf.rb}]
-  s.homepage = %q{http://example.com}
-  s.licenses = [%q{MIT}]
-  s.require_paths = [%q{lib}]
-  s.requirements = [%q{A working computer}]
-  s.rubyforge_project = %q{example}
-  s.rubygems_version = %q{#{Gem::VERSION}}
-  s.summary = %q{this is a summary}
-  s.test_files = [%q{test/suite.rb}]
+  s.authors = ["A User"]
+  s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}"
+  s.description = "This is a test description"
+  s.email = "example@example.com"
+  s.executables = ["exec"]
+  s.extensions = ["ext/a/extconf.rb"]
+  s.files = ["lib/code.rb", "test/suite.rb", "bin/exec", "ext/a/extconf.rb"]
+  s.homepage = "http://example.com"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.requirements = ["A working computer"]
+  s.rubyforge_project = "example"
+  s.rubygems_version = "#{Gem::VERSION}"
+  s.summary = "this is a summary"
+  s.test_files = ["test/suite.rb"]
 
   if s.respond_to? :specification_version then
     s.specification_version = 3

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rubygems-update
 version: !ruby/object:Gem::Version 
-  hash: 37
+  hash: 35
   prerelease: 
   segments: 
   - 1
   - 8
-  - 9
-  version: 1.8.9
+  - 10
+  version: 1.8.10
 platform: ruby
 authors: 
 - Jim Weirich
@@ -38,7 +38,7 @@ cert_chain:
   x52qPcexcYZR7w==
   -----END CERTIFICATE-----
 
-date: 2011-08-23 00:00:00 Z
+date: 2011-08-27 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: minitest
@@ -404,7 +404,7 @@ post_install_message:
 rdoc_options: 
 - --main
 - README.rdoc
-- --title=RubyGems 1.8.9 Documentation
+- --title=RubyGems 1.8.10 Documentation
 require_paths: 
 - hide_lib_for_update
 required_ruby_version: !ruby/object:Gem::Requirement 
@@ -430,7 +430,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rubygems
-rubygems_version: 1.8.8
+rubygems_version: 1.8.9
 signing_key: 
 specification_version: 3
 summary: RubyGems is a package management framework for Ruby