rubygems-update 2.0.16 → 2.0.17

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rubygems-update might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/History.txt +6 -0
  3. data/lib/rubygems.rb +1 -1
  4. data/lib/rubygems/remote_fetcher.rb +1 -1
  5. data/test/rubygems/test_gem_remote_fetcher.rb +30 -0
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: a73bcbd4fbbd72da068f225bc86a61ba6e7ee981
4
- data.tar.gz: ab58dc5df51e0735110298073c0780cd855c5d99
3
+ metadata.gz: dbde61dab685c676ad6b3dbe594ca9b6a2fe3651
4
+ data.tar.gz: e51f4f77c0dc1e2146f4729fdbef2f3269bc1791
5
5
  SHA512:
6
- metadata.gz: 40308a04d1211aef0db6578595838f31c9649bef3e1ccabbbf9ddebfbcce5f61401d6986465f7055b7c821f3330ddd351d06962f1b50d0a567843e11218438bc
7
- data.tar.gz: 9c265d4e0c4093e4e44ee0e4e676b3db15ae28fff711e5ffc650fca99eb707f7cb8f49040080b901b2ba4ba3ea16df43f9008ef3caec8fbc9c745d5adefc1b77
6
+ metadata.gz: 7f24bbd6a889494e182f6cbbe5e333cb324b4fa6cc238e33bcb4bf7b4a7ab1237669fb0451d70b2e40918d2dc4d6fee1543bde13596cdcd7f8a6027b2f4fa3ae
7
+ data.tar.gz: f3408ab7122d1dff8c99224606aaf3be0f2863a18d0ce1157c608d29f1b7fc77a41bdce9af238aeac9e194e96f4d4fd77faa4ce854b2aeafd1770a1572412c64
data/History.txt CHANGED
@@ -1,5 +1,11 @@
1
1
  # coding: UTF-8
2
2
 
3
+ === 2.0.17 / 2015-06-08
4
+
5
+ Bug fixes:
6
+
7
+ * Tightened API endpoint checks for CVE-2015-3900
8
+
3
9
  === 2.0.16 / 2015-05-14
4
10
 
5
11
  Bug fixes:
data/lib/rubygems.rb CHANGED
@@ -8,7 +8,7 @@
8
8
  require 'rbconfig'
9
9
 
10
10
  module Gem
11
- VERSION = '2.0.16'
11
+ VERSION = '2.0.17'
12
12
  end
13
13
 
14
14
  # Must be first since it unloads the prelude from 1.9.2
data/lib/rubygems/remote_fetcher.rb CHANGED
@@ -105,7 +105,7 @@ class Gem::RemoteFetcher
105
105
  else
106
106
  target = res.target.to_s.strip
107
107
 
108
- if /#{host}\z/ =~ target
108
+ if /\.#{Regexp.quote(host)}\z/ =~ target
109
109
  return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
110
110
  end
111
111
 
data/test/rubygems/test_gem_remote_fetcher.rb CHANGED
@@ -206,6 +206,36 @@ gems:
206
206
  dns.verify
207
207
  end
208
208
 
209
+ def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
210
+ uri = URI.parse "http://example.com/foo"
211
+ target = MiniTest::Mock.new
212
+ target.expect :target, "example.combadguy.com"
213
+
214
+ dns = MiniTest::Mock.new
215
+ dns.expect :getresource, target, [String, Object]
216
+
217
+ fetch = Gem::RemoteFetcher.new nil, dns
218
+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
219
+
220
+ target.verify
221
+ dns.verify
222
+ end
223
+
224
+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
225
+ uri = URI.parse "http://example.com/foo"
226
+ target = MiniTest::Mock.new
227
+ target.expect :target, "badexample.com"
228
+
229
+ dns = MiniTest::Mock.new
230
+ dns.expect :getresource, target, [String, Object]
231
+
232
+ fetch = Gem::RemoteFetcher.new nil, dns
233
+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
234
+
235
+ target.verify
236
+ dns.verify
237
+ end
238
+
209
239
  def test_cache_update_path
210
240
  uri = URI 'http://example/file'
211
241
  path = File.join @tempdir, 'file'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubygems-update
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.16
4
+ version: 2.0.17
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jim Weirich
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2015-05-14 00:00:00.000000000 Z
13
+ date: 2015-06-08 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: minitest