rubygems-update 2.4.7 → 2.4.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5957b4caef4d5ae7826a3f4ee4ea8e7174a1dde0
-  data.tar.gz: ec0b2563d1b6b07d34f3375ce857e32a928b9b4c
+  metadata.gz: 628e3b112ee81a73e5c1570bd8d92f656cd1270a
+  data.tar.gz: d3bdbbcfba8a3ec257cd6e55946cf6afb6e6eba9
 SHA512:
-  metadata.gz: cb03080a6d5f74eca52ee3f06b825a8b7438dc51b0a9e18107f978df09b3d2d51e17a749a6d9564acf6d63fd6ca253bf44d62664448ca8164003b9fea43a77c8
-  data.tar.gz: 937345a29ff97fa27d915d367f66df8edd56d9e0505cb84ebdb702162e8d258faf9e2babb760efe047491a7b0123c2018c9d6cf7cd0a8cadd7c3b9b478133d88
+  metadata.gz: 5874130383cb363d0f953b09df44484bd9f21595f371f712b1566cb4cc8e5aee34cb01953a661afb077dc4fa89658c0735f3502888a44f31b1cdd135a7e1d818
+  data.tar.gz: b3c162f82fe34a9436a8c46834285dfb64c59f2af57dee90a83f23c3ae4fe49347a4a399dbe645cc1e06736e98df853fa637e0ab9f90ee9a0a1b0cb2bf5b8fa9

data/History.txt

@@ -1,5 +1,11 @@
 # coding: UTF-8
 
+=== 2.4.8 / 2015-06-08
+
+Bug fixes:
+
+* Tightened API endpoint checks for CVE-2015-3900
+
 === 2.4.7 / 2015-05-14
 
 Bug fixes:

data/lib/rubygems.rb

@@ -9,7 +9,7 @@ require 'rbconfig'
 require 'thread'
 
 module Gem
-  VERSION = '2.4.7'
+  VERSION = '2.4.8'
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/remote_fetcher.rb

@@ -96,7 +96,7 @@ class Gem::RemoteFetcher
     else
       target = res.target.to_s.strip
 
-      if /#{host}\z/ =~ target
+      if /\.#{Regexp.quote(host)}\z/ =~ target
         return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
       end
 

data/test/rubygems/test_gem_remote_fetcher.rb

@@ -196,6 +196,36 @@ gems:
     dns.verify
   end
 
+  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "example.combadguy.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "badexample.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
   def test_cache_update_path
     uri = URI 'http://example/file'
     path = File.join @tempdir, 'file'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.4.7
+  version: 2.4.8
 platform: ruby
 authors:
 - Jim Weirich
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-14 00:00:00.000000000 Z
+date: 2015-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -18,14 +18,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.6'
+        version: '5.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.6'
+        version: '5.7'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement