rubygems-update 2.6.13 → 2.6.14
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rubygems-update might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/History.txt +8 -0
- data/Manifest.txt +1 -0
- data/lib/rubygems.rb +3 -2
- data/lib/rubygems/config_file.rb +1 -1
- data/lib/rubygems/package.rb +1 -1
- data/lib/rubygems/package/old.rb +1 -1
- data/lib/rubygems/safe_yaml.rb +48 -0
- data/lib/rubygems/specification.rb +1 -1
- metadata +4 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 57912bb77dd87dcd42c101212129e693553e4d31b01e3475f423d69606d054f2
|
4
|
+
data.tar.gz: 6c57e3463ebe2e2dec90d8c99ba48212622faac0cdfc7bb90ab91d1299a2af97
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ea7514aa2ffa01b8d84c0834933fdd8f8682bbbb272faaf8980c398e0fdce05131225132449ae51aab1852905a82bab8cf2e88a94f7fef83c442791735e37c4e
|
7
|
+
data.tar.gz: c2b993fac57b622ad7f95622e5724c79f0c82f612c88d7f94c2db7be01d9eb2c93bdcaabc59b3adbd4cb530e4ccc4ebdcacc31e97ce2b2d4cf65af6c3d54c79d
|
data/History.txt
CHANGED
data/Manifest.txt
CHANGED
@@ -387,6 +387,7 @@ lib/rubygems/resolver/specification.rb
|
|
387
387
|
lib/rubygems/resolver/stats.rb
|
388
388
|
lib/rubygems/resolver/vendor_set.rb
|
389
389
|
lib/rubygems/resolver/vendor_specification.rb
|
390
|
+
lib/rubygems/safe_yaml.rb
|
390
391
|
lib/rubygems/security.rb
|
391
392
|
lib/rubygems/security/policies.rb
|
392
393
|
lib/rubygems/security/policy.rb
|
data/lib/rubygems.rb
CHANGED
@@ -10,7 +10,7 @@ require 'rbconfig'
|
|
10
10
|
require 'thread'
|
11
11
|
|
12
12
|
module Gem
|
13
|
-
VERSION = "2.6.
|
13
|
+
VERSION = "2.6.14"
|
14
14
|
end
|
15
15
|
|
16
16
|
# Must be first since it unloads the prelude from 1.9.2
|
@@ -675,7 +675,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
|
|
675
675
|
|
676
676
|
unless test_syck
|
677
677
|
begin
|
678
|
-
gem 'psych', '>=
|
678
|
+
gem 'psych', '>= 2.0.0'
|
679
679
|
rescue Gem::LoadError
|
680
680
|
# It's OK if the user does not have the psych gem installed. We will
|
681
681
|
# attempt to require the stdlib version
|
@@ -699,6 +699,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
|
|
699
699
|
end
|
700
700
|
|
701
701
|
require 'yaml'
|
702
|
+
require 'rubygems/safe_yaml'
|
702
703
|
|
703
704
|
# If we're supposed to be using syck, then we may have to force
|
704
705
|
# activate it via the YAML::ENGINE API.
|
data/lib/rubygems/config_file.rb
CHANGED
@@ -345,7 +345,7 @@ if you believe they were disclosed to a third party.
|
|
345
345
|
return {} unless filename and File.exist? filename
|
346
346
|
|
347
347
|
begin
|
348
|
-
content =
|
348
|
+
content = Gem::SafeYAML.load(File.read(filename))
|
349
349
|
unless content.kind_of? Hash
|
350
350
|
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
|
351
351
|
return {}
|
data/lib/rubygems/package.rb
CHANGED
data/lib/rubygems/package/old.rb
CHANGED
@@ -0,0 +1,48 @@
|
|
1
|
+
module Gem
|
2
|
+
|
3
|
+
###
|
4
|
+
# This module is used for safely loading YAML specs from a gem. The
|
5
|
+
# `safe_load` method defined on this module is specifically designed for
|
6
|
+
# loading Gem specifications. For loading other YAML safely, please see
|
7
|
+
# Psych.safe_load
|
8
|
+
|
9
|
+
module SafeYAML
|
10
|
+
WHITELISTED_CLASSES = %w(
|
11
|
+
Symbol
|
12
|
+
Time
|
13
|
+
Date
|
14
|
+
Gem::Dependency
|
15
|
+
Gem::Platform
|
16
|
+
Gem::Requirement
|
17
|
+
Gem::Specification
|
18
|
+
Gem::Version
|
19
|
+
Gem::Version::Requirement
|
20
|
+
YAML::Syck::DefaultKey
|
21
|
+
Syck::DefaultKey
|
22
|
+
)
|
23
|
+
|
24
|
+
WHITELISTED_SYMBOLS = %w(
|
25
|
+
development
|
26
|
+
runtime
|
27
|
+
)
|
28
|
+
|
29
|
+
if ::YAML.respond_to? :safe_load
|
30
|
+
def self.safe_load input
|
31
|
+
::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
|
32
|
+
end
|
33
|
+
|
34
|
+
def self.load input
|
35
|
+
::YAML.safe_load(input, [::Symbol])
|
36
|
+
end
|
37
|
+
else
|
38
|
+
warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
|
39
|
+
def self.safe_load input, *args
|
40
|
+
::YAML.load input
|
41
|
+
end
|
42
|
+
|
43
|
+
def self.load input
|
44
|
+
::YAML.load input
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
@@ -1101,7 +1101,7 @@ class Gem::Specification < Gem::BasicSpecification
|
|
1101
1101
|
Gem.load_yaml
|
1102
1102
|
|
1103
1103
|
input = normalize_yaml_input input
|
1104
|
-
spec =
|
1104
|
+
spec = Gem::SafeYAML.safe_load input
|
1105
1105
|
|
1106
1106
|
if spec && spec.class == FalseClass then
|
1107
1107
|
raise Gem::EndOfYAMLException
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rubygems-update
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.6.
|
4
|
+
version: 2.6.14
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jim Weirich
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2017-
|
13
|
+
date: 2017-10-10 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: builder
|
@@ -553,6 +553,7 @@ files:
|
|
553
553
|
- lib/rubygems/resolver/stats.rb
|
554
554
|
- lib/rubygems/resolver/vendor_set.rb
|
555
555
|
- lib/rubygems/resolver/vendor_specification.rb
|
556
|
+
- lib/rubygems/safe_yaml.rb
|
556
557
|
- lib/rubygems/security.rb
|
557
558
|
- lib/rubygems/security/policies.rb
|
558
559
|
- lib/rubygems/security/policy.rb
|
@@ -800,7 +801,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
800
801
|
version: '0'
|
801
802
|
requirements: []
|
802
803
|
rubyforge_project:
|
803
|
-
rubygems_version: 2.6.
|
804
|
+
rubygems_version: 2.6.13
|
804
805
|
signing_key:
|
805
806
|
specification_version: 4
|
806
807
|
summary: RubyGems is a package management framework for Ruby
|