RubyGems - rubygems-update - Versions diffs - 2.0.16 → 2.0.17 - Mend

rubygems-update 2.0.16 → 2.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rubygems-update might be problematic. Click here for more details.

Files changed (6) hide show

checksums.yaml +4 -4
data/History.txt +6 -0
data/lib/rubygems.rb +1 -1
data/lib/rubygems/remote_fetcher.rb +1 -1
data/test/rubygems/test_gem_remote_fetcher.rb +30 -0
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a73bcbd4fbbd72da068f225bc86a61ba6e7ee981
-  data.tar.gz: ab58dc5df51e0735110298073c0780cd855c5d99
+  metadata.gz: dbde61dab685c676ad6b3dbe594ca9b6a2fe3651
+  data.tar.gz: e51f4f77c0dc1e2146f4729fdbef2f3269bc1791
 SHA512:
-  metadata.gz: 40308a04d1211aef0db6578595838f31c9649bef3e1ccabbbf9ddebfbcce5f61401d6986465f7055b7c821f3330ddd351d06962f1b50d0a567843e11218438bc
-  data.tar.gz: 9c265d4e0c4093e4e44ee0e4e676b3db15ae28fff711e5ffc650fca99eb707f7cb8f49040080b901b2ba4ba3ea16df43f9008ef3caec8fbc9c745d5adefc1b77
+  metadata.gz: 7f24bbd6a889494e182f6cbbe5e333cb324b4fa6cc238e33bcb4bf7b4a7ab1237669fb0451d70b2e40918d2dc4d6fee1543bde13596cdcd7f8a6027b2f4fa3ae
+  data.tar.gz: f3408ab7122d1dff8c99224606aaf3be0f2863a18d0ce1157c608d29f1b7fc77a41bdce9af238aeac9e194e96f4d4fd77faa4ce854b2aeafd1770a1572412c64

data/History.txt CHANGED

@@ -1,5 +1,11 @@
 # coding: UTF-8
+=== 2.0.17 / 2015-06-08
+Bug fixes:
+* Tightened API endpoint checks for CVE-2015-3900
 === 2.0.16 / 2015-05-14
 Bug fixes:

data/lib/rubygems.rb CHANGED

@@ -8,7 +8,7 @@
 require 'rbconfig'
 module Gem
-  VERSION = '2.0.16'
+  VERSION = '2.0.17'
 end
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/remote_fetcher.rb CHANGED

@@ -105,7 +105,7 @@ class Gem::RemoteFetcher
     else
       target = res.target.to_s.strip
-      if /#{host}\z/ =~ target
+      if /\.#{Regexp.quote(host)}\z/ =~ target
         return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
       end

data/test/rubygems/test_gem_remote_fetcher.rb CHANGED

@@ -206,6 +206,36 @@ gems:
     dns.verify
   end
+  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "example.combadguy.com"
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+    target.verify
+    dns.verify
+  end
+  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "badexample.com"
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+    target.verify
+    dns.verify
+  end
   def test_cache_update_path
     uri = URI 'http://example/file'
     path = File.join @tempdir, 'file'

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.0.16
+  version: 2.0.17
 platform: ruby
 authors:
 - Jim Weirich
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-05-14 00:00:00.000000000 Z
+date: 2015-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest