rubygems-update 2.2.4 → 2.2.5

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rubygems-update might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/History.txt +6 -0
  3. data/lib/rubygems.rb +1 -1
  4. data/lib/rubygems/remote_fetcher.rb +1 -1
  5. data/test/rubygems/test_gem_remote_fetcher.rb +30 -0
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: e98b04b25f22f349df28ad4154da407e710580d9
4
- data.tar.gz: dbe2d28493e2a1b911a6fabd6c52a09a1b01d776
3
+ metadata.gz: 6b784798b365f2224360537c17ff3673155af0ab
4
+ data.tar.gz: 483ecdaddafc5ee9890a213e17f7847f31dbcb10
5
5
  SHA512:
6
- metadata.gz: 748b24e51af2ef2603fc2d965da192dde7b14f689e88041a648d7349985a8edb80304d3ad00046523579f3af1942ea5a50711382a5eb400a644f5ec41fa2ef3d
7
- data.tar.gz: 3e0569007b0adafb4c81221b7d09c77c40435c1581cdcd7d201285cb6492460f1f31da0c494865f2269c0cdbc63b676ffe05b63fe1cf7026015c6e56f1a22152
6
+ metadata.gz: 910de3dfc30de9c054bd26eeba5eebffaf58fe568b8ef6421614804e771a48f4509dc6fd60f1d900d0c928c3fb8e38e44c16b474fa5ef889dffcbb3b2f5d703a
7
+ data.tar.gz: 71e6e54a9caf792fe86bfec7536fd00e70aa164318c933737441ab660e5614bd00e003479e41b2fb96c55e7db86bdba932335ee6b61171e6ce880304b6247db2
data/History.txt CHANGED
@@ -1,5 +1,11 @@
1
1
  # coding: UTF-8
2
2
 
3
+ === 2.2.5 / 2015-06-08
4
+
5
+ Bug fixes:
6
+
7
+ * Tightened API endpoint checks for CVE-2015-3900
8
+
3
9
  === 2.2.4 / 2015-05-14
4
10
 
5
11
  Bug fixes:
data/lib/rubygems.rb CHANGED
@@ -8,7 +8,7 @@
8
8
  require 'rbconfig'
9
9
 
10
10
  module Gem
11
- VERSION = '2.2.4'
11
+ VERSION = '2.2.5'
12
12
  end
13
13
 
14
14
  # Must be first since it unloads the prelude from 1.9.2
data/lib/rubygems/remote_fetcher.rb CHANGED
@@ -92,7 +92,7 @@ class Gem::RemoteFetcher
92
92
  else
93
93
  target = res.target.to_s.strip
94
94
 
95
- if /#{host}\z/ =~ target
95
+ if /\.#{Regexp.quote(host)}\z/ =~ target
96
96
  return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
97
97
  end
98
98
 
data/test/rubygems/test_gem_remote_fetcher.rb CHANGED
@@ -192,6 +192,36 @@ gems:
192
192
  dns.verify
193
193
  end
194
194
 
195
+ def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
196
+ uri = URI.parse "http://example.com/foo"
197
+ target = MiniTest::Mock.new
198
+ target.expect :target, "example.combadguy.com"
199
+
200
+ dns = MiniTest::Mock.new
201
+ dns.expect :getresource, target, [String, Object]
202
+
203
+ fetch = Gem::RemoteFetcher.new nil, dns
204
+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
205
+
206
+ target.verify
207
+ dns.verify
208
+ end
209
+
210
+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
211
+ uri = URI.parse "http://example.com/foo"
212
+ target = MiniTest::Mock.new
213
+ target.expect :target, "badexample.com"
214
+
215
+ dns = MiniTest::Mock.new
216
+ dns.expect :getresource, target, [String, Object]
217
+
218
+ fetch = Gem::RemoteFetcher.new nil, dns
219
+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
220
+
221
+ target.verify
222
+ dns.verify
223
+ end
224
+
195
225
  def test_cache_update_path
196
226
  uri = URI 'http://example/file'
197
227
  path = File.join @tempdir, 'file'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubygems-update
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.4
4
+ version: 2.2.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jim Weirich
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2015-05-14 00:00:00.000000000 Z
13
+ date: 2015-06-08 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: minitest