rubygems-update 2.6.3 → 2.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bed7c7899639f9d4eb539d69521ede2590f48bf7
-  data.tar.gz: 8a477e9b22457409b503bfd6c2d4db1b210d4bd8
+  metadata.gz: ae122381f72a89b501634c0647d02389dc8f2360
+  data.tar.gz: f55b58bf8be379f12b8f617986c4f320c9976e0f
 SHA512:
-  metadata.gz: ab3c776e4e1f56437bcab1717d93b228519eb7a9b945868e91e8ec22e85f06b0201df7579c0450f8b45d3a0692e3abed75561d55dce83ec09e405d66a8ebcc03
-  data.tar.gz: ac178d28e4a95baf5ae57d1e8f90d0195b83b2b7591595a4a7415839dfc7d661cba75448916f036e300f1eb8b30b9cb53f2f3152cd2bc98dbda6de8db74a4419
+  metadata.gz: 2ffbdd1cc35bdac49d847c9c3396fed9e5515c9b083c37e93f6f4da6c3b14c860db35b655d73258fc1f4c7e4d327723c503cbbed6983c4eaed56cbcbe0bc96f7
+  data.tar.gz: f47e81a5998a75ada652786f196645cfdc64f4e1708dc1c9969d2407326697680206126a853c0abfc6e684875c54d35f25f0b2161e0046a09edb10ac50f00841

data/CONTRIBUTING.rdoc

@@ -13,9 +13,11 @@ contributors to follow to reduce the time it takes to get changes merged in.
    * Match indentation (two spaces)
    * Match coding style (`if`, `elsif`, `when` need trailing `then`)
 
-3. Don't modify the history file or version number.
+3. If any new files are added or existing files removed in a commit or PR, please update the `Manifest.txt` accordingly.
 
-4. If you have any questions, just ask on IRC in #rubygems on Freenode or file
+4. Don't modify the history file or version number.
+
+5. If you have any questions, just ask on IRC in #rubygems on Freenode or file
    an issue here: http://github.com/rubygems/rubygems/issues
 
 For more information and ideas on how to contribute to RubyGems ecosystem, see

data/History.txt

@@ -1,5 +1,22 @@
 # coding: UTF-8
 
+=== 2.6.4 / ---
+
+Minor enhancements:
+
+* Use Gem::Util::NULL_DEVICE instead of hard coded strings. Pull request #1588
+  by Chris Charabaruk.
+* Use File.symlink on MS Windows if supported. Pull request #1418
+  by Nobuyoshi Nakada.
+
+Bug fixes:
+
+* Redact uri password from error output when gem fetch fails. Pull request
+  #1565 by Brian Fletcher.
+* Suppress warnings. Pull request #1594 by Nobuyoshi Nakada.
+* Escape user-supplied content served on web pages by `gem server` to avoid
+  potential XSS vulnerabilities. Samuel Giddins.
+
 === 2.6.3 / 2016-04-05
 
 Minor enhancements:

data/Manifest.txt

@@ -362,6 +362,7 @@ test/rubygems/test_gem_validator.rb
 test/rubygems/test_gem_version.rb
 test/rubygems/test_gem_version_option.rb
 test/rubygems/test_kernel.rb
+test/rubygems/test_remote_fetch_error.rb
 test/rubygems/test_require.rb
 test/rubygems/wrong_key_cert.pem
 test/rubygems/wrong_key_cert_32.pem

data/appveyor.yml

@@ -1,38 +1,42 @@
----
-version: "{build}"
+version: '{build}'
 branches:
   only:
-    - master
-    - auto
-    - /[\d.]+/
+  - master
+  - auto
+  - /[\d.]+/
+skip_tags: true
 clone_depth: 10
+environment:
+  matrix:
+  - ruby_version: 193
+  - ruby_version: 200
+  - ruby_version: 200-x64
+  - ruby_version: 21
+  - ruby_version: 21-x64
+  - ruby_version: 22
+  - ruby_version: 22-x64
 install:
-  - SET PATH=C:\Ruby%ruby_version%\bin;%PATH%
-  - SET GEM_HOME=%APPDATA%\.gem
-  - ruby --version
-  - gem --version
-  - gem install rake -v "~> 10.5" --no-rdoc --no-ri
-  - gem install hoe-travis --no-rdoc --no-ri
-  - gem install minitest -v "~> 4.7" --no-rdoc --no-ri
-  - rake travis:before --trace
-  - gem list --details
-  - gem env
+- ps: >-
+    $env:path = 'C:\Ruby' + $env:ruby_version + '\bin;' + $env:path
+
+    $env:TRAVIS = $TRUE
+
+    if ((gem query -i rake) -eq $False){ gem install rake --no-document }
+
+    if ((gem query -i hoe) -eq $False){ gem install hoe --no-document }
 
+    gem install minitest -v "~> 4.7" --no-document
+
+    ruby -v
+cache:
+- C:\Ruby193\lib\ruby\gems\1.9.1
+- C:\Ruby200\lib\ruby\gems\2.0.0
+- C:\Ruby200-x64\lib\ruby\gems\2.0.0
+- C:\Ruby21\lib\ruby\gems\2.1.0
+- C:\Ruby21-x64\lib\ruby\gems\2.1.0
+- C:\Ruby22\lib\ruby\gems\2.2.0
+- C:\Ruby22-x64\lib\ruby\gems\2.2.0
 build: off
 test_script:
-  - rake -rdevkit travis
-after_test:
-  # FIXME: missing `diff` to check manifest differences
-  #- rake -rdevkit travis:after --trace
-
-environment:
-  matrix:
-    # FIXME: Tests don't even run on Ruby 1.9.3 on Windows on Appveyor.
-    # See: https://github.com/rubygems/rubygems/issues/1270
-    #- ruby_version: "193"
-    - ruby_version: "200"
-    - ruby_version: "200-x64"
-    - ruby_version: "21"
-    - ruby_version: "21-x64"
-    - ruby_version: "22"
-    - ruby_version: "22-x64"
+- cmd: rake -rdevkit test
+deploy: off

data/lib/rubygems.rb

@@ -10,7 +10,7 @@ require 'rbconfig'
 require 'thread'
 
 module Gem
-  VERSION = '2.6.3'
+  VERSION = '2.6.4'
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/commands/query_command.rb

@@ -259,7 +259,7 @@ is too hard to use.
             if options[:domain] == :remote || specs.all? { |spec| spec.is_a? Gem::Source }
               version
             else
-              spec = specs.select { |spec| spec.version == version }
+              spec = specs.select { |s| s.version == version }
               if spec.first.default_gem?
                 "default: #{version}"
               else

data/lib/rubygems/errors.rb

@@ -170,6 +170,7 @@ module Gem
     # An English description of the error.
 
     def wordy
+      @source.uri.password = 'REDACTED' unless @source.uri.password.nil?
       "Unable to download data from #{@source.uri} - #{@error.message}"
     end
 

data/lib/rubygems/installer.rb

@@ -509,12 +509,6 @@ class Gem::Installer
   # the symlink if the gem being installed has a newer version.
 
   def generate_bin_symlink(filename, bindir)
-    if Gem.win_platform? then
-      alert_warning "Unable to use symlinks on Windows, installing wrapper"
-      generate_bin_script filename, bindir
-      return
-    end
-
     src = File.join gem_dir, spec.bindir, filename
     dst = File.join bindir, formatted_program_filename(filename)
 
@@ -528,6 +522,9 @@ class Gem::Installer
     end
 
     FileUtils.symlink src, dst, :verbose => Gem.configuration.really_verbose
+  rescue NotImplementedError, SystemCallError
+    alert_warning "Unable to use symlinks, installing wrapper"
+    generate_bin_script filename, bindir
   end
 
   ##

data/lib/rubygems/remote_fetcher.rb

@@ -27,7 +27,13 @@ class Gem::RemoteFetcher
 
     def initialize(message, uri)
       super message
-      @uri = uri
+      begin
+        uri = URI(uri)
+        uri.password = 'REDACTED' if uri.password
+        @uri = uri.to_s
+      rescue URI::InvalidURIError, ArgumentError
+        @uri = uri
+      end
     end
 
     def to_s # :nodoc:

data/lib/rubygems/server.rb

@@ -34,7 +34,7 @@ class Gem::Server
   include ERB::Util
   include Gem::UserInteraction
 
-  SEARCH = <<-SEARCH
+  SEARCH = <<-ERB
       <form class="headerSearch" name="headerSearchForm" method="get" action="/rdoc">
         <div id="search" style="float:right">
           <label for="q">Filter/Search</label>
@@ -42,9 +42,9 @@ class Gem::Server
           <button type="submit" style="display:none"></button>
         </div>
       </form>
-  SEARCH
+  ERB
 
-  DOC_TEMPLATE = <<-'DOC_TEMPLATE'
+  DOC_TEMPLATE = <<-'ERB'
   <?xml version="1.0" encoding="iso-8859-1"?>
   <!DOCTYPE html
        PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
@@ -68,35 +68,33 @@ class Gem::Server
         <h1>Summary</h1>
   <p>There are <%=values["gem_count"]%> gems installed:</p>
   <p>
-  <%= values["specs"].map { |v| "<a href=\"##{v["name"]}\">#{v["name"]}</a>" }.join ', ' %>.
+  <%= values["specs"].map { |v| "<a href\"##{u v["name"]}\">#{h v["name"]}</a>" }.join ', ' %>.
   <h1>Gems</h1>
 
   <dl>
   <% values["specs"].each do |spec| %>
     <dt>
     <% if spec["first_name_entry"] then %>
-      <a name="<%=spec["name"]%>"></a>
+      <a name="<%=h spec["name"]%>"></a>
     <% end %>
 
-    <b><%=spec["name"]%> <%=spec["version"]%></b>
+    <b><%=h spec["name"]%> <%=h spec["version"]%></b>
 
-    <% if spec["ri_installed"] then %>
-      <a href="<%=spec["doc_path"]%>">[rdoc]</a>
-    <% elsif spec["rdoc_installed"] then %>
-      <a href="<%=spec["doc_path"]%>">[rdoc]</a>
+    <% if spec["ri_installed"] || spec["rdoc_installed"] then %>
+      <a href="<%=u spec["doc_path"]%>">[rdoc]</a>
     <% else %>
       <span title="rdoc not installed">[rdoc]</span>
     <% end %>
 
     <% if spec["homepage"] then %>
-      <a href="<%=spec["homepage"]%>" title="<%=spec["homepage"]%>">[www]</a>
+      <a href="<%=u spec["homepage"]%>" title="<%=h spec["homepage"]%>">[www]</a>
     <% else %>
       <span title="no homepage available">[www]</span>
     <% end %>
 
     <% if spec["has_deps"] then %>
      - depends on
-      <%= spec["dependencies"].map { |v| "<a href=\"##{v["name"]}\">#{v["name"]}</a>" }.join ', ' %>.
+      <%= spec["dependencies"].map { |v| "<a href=\"##{u v["name"]}>#{h v["name"]}</a>" }.join ', ' %>.
     <% end %>
     </dt>
     <dd>
@@ -110,7 +108,7 @@ class Gem::Server
           Executables are
       <%end%>
 
-      <%= spec["executables"].map { |v| "<span class=\"context-item-name\">#{v["executable"]}</span>"}.join ', ' %>.
+      <%= spec["executables"].map { |v| "<span class=\"context-item-name\">#{h v["executable"]}</span>"}.join ', ' %>.
 
     <%end%>
     <br/>
@@ -127,10 +125,10 @@ class Gem::Server
   </div>
   </body>
   </html>
-  DOC_TEMPLATE
+  ERB
 
   # CSS is copy & paste from rdoc-style.css, RDoc V1.0.1 - 20041108
-  RDOC_CSS = <<-RDOC_CSS
+  RDOC_CSS = <<-CSS
 body {
     font-family: Verdana,Arial,Helvetica,sans-serif;
     font-size:   90%;
@@ -338,9 +336,9 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
 .ruby-comment { color: #b22222; font-weight: bold; background: transparent; }
 .ruby-regexp  { color: #ffa07a; background: transparent; }
 .ruby-value   { color: #7fffd4; background: transparent; }
-  RDOC_CSS
+  CSS
 
-  RDOC_NO_DOCUMENTATION = <<-'NO_DOC'
+  RDOC_NO_DOCUMENTATION = <<-'ERB'
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
           "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -372,9 +370,9 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
     </div>
   </body>
 </html>
-  NO_DOC
+  ERB
 
-  RDOC_SEARCH_TEMPLATE = <<-'RDOC_SEARCH'
+  RDOC_SEARCH_TEMPLATE = <<-'ERB'
 <?xml version="1.0" encoding="iso-8859-1"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
           "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -401,10 +399,10 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
           <% doc_items.each do |doc_item| %>
             <dt>
               <b><%=doc_item[:name]%></b>
-              <a href="<%=doc_item[:url]%>">[rdoc]</a>
+              <a href="<%=u doc_item[:url]%>">[rdoc]</a>
             </dt>
             <dd>
-              <%=doc_item[:summary]%>
+              <%=h doc_item[:summary]%>
               <br/>
               <br/>
             </dd>
@@ -423,7 +421,7 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
     </div>
   </body>
 </html>
-  RDOC_SEARCH
+  ERB
 
   def self.run(options)
     new(options[:gemdir], options[:port], options[:daemon],
@@ -459,9 +457,9 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
 
   def doc_root gem_name
     if have_rdoc_4_plus? then
-      "/doc_root/#{gem_name}/"
+      "/doc_root/#{u gem_name}/"
     else
-      "/doc_root/#{gem_name}/rdoc/index.html"
+      "/doc_root/#{u gem_name}/rdoc/index.html"
     end
   end
 

data/lib/rubygems/user_interaction.rb

@@ -5,6 +5,8 @@
 # See LICENSE.txt for permissions.
 #++
 
+require 'rubygems/util'
+
 begin
   require 'io/console'
 rescue LoadError
@@ -676,13 +678,8 @@ class Gem::SilentUI < Gem::StreamUI
   def initialize
     reader, writer = nil, nil
 
-    begin
-      reader = File.open('/dev/null', 'r')
-      writer = File.open('/dev/null', 'w')
-    rescue Errno::ENOENT
-      reader = File.open('nul', 'r')
-      writer = File.open('nul', 'w')
-    end
+    reader = File.open(Gem::Util::NULL_DEVICE, 'r')
+    writer = File.open(Gem::Util::NULL_DEVICE, 'w')
 
     super reader, writer, writer, false
   end
@@ -701,4 +698,3 @@ class Gem::SilentUI < Gem::StreamUI
     SilentProgressReporter.new(@outs, *args)
   end
 end
-

data/test/rubygems/rubygems_plugin.rb

@@ -6,6 +6,10 @@ require 'rubygems/command_manager'
 #
 # DO NOT include code like this in your rubygems_plugin.rb
 
+module Gem::Commands
+  remove_const(:InterruptCommand) if defined?(InterruptCommand)
+end
+
 class Gem::Commands::InterruptCommand < Gem::Command
 
   def initialize

data/test/rubygems/test_gem_installer.rb

@@ -2,6 +2,20 @@
 require 'rubygems/installer_test_case'
 
 class TestGemInstaller < Gem::InstallerTestCase
+  @@symlink_supported = nil
+
+  def symlink_supported?
+    if @@symlink_supported.nil?
+      begin
+        File.symlink("", "")
+      rescue Errno::ENOENT, Errno::EEXIST
+        @@symlink_supported = true
+      rescue NotImplementedError, SystemCallError
+        @@symlink_supported = false
+      end
+    end
+    @@symlink_supported
+  end
 
   def setup
     super
@@ -552,7 +566,7 @@ gem 'other', version
   end
 
   def test_generate_bin_symlink_update_older
-    return if win_platform? #Windows FS do not support symlinks
+    return if !symlink_supported?
 
     @installer.wrappers = false
     util_make_exec
@@ -588,7 +602,7 @@ gem 'other', version
   end
 
   def test_generate_bin_symlink_update_remove_wrapper
-    return if win_platform? #Windows FS do not support symlinks
+    return if !symlink_supported?
 
     @installer.wrappers = true
     util_make_exec
@@ -639,7 +653,12 @@ gem 'other', version
     installed_exec = File.join(util_inst_bindir, 'executable')
     assert_path_exists installed_exec
 
-    assert_match(/Unable to use symlinks on Windows, installing wrapper/i,
+    if symlink_supported?
+      assert_send([File, :symlink?, installed_exec])
+      return
+    end
+
+    assert_match(/Unable to use symlinks, installing wrapper/i,
                  @ui.error)
 
     wrapper = File.read installed_exec
@@ -651,7 +670,7 @@ gem 'other', version
   end
 
   def test_generate_bin_uses_default_shebang
-    return if win_platform? #Windows FS do not support symlinks
+    return if !symlink_supported?
 
     @installer.wrappers = true
     util_make_exec

data/test/rubygems/test_gem_source_fetch_problem.rb

@@ -16,5 +16,13 @@ class TestGemSourceFetchProblem < Gem::TestCase
     assert_equal 'test', e.message
   end
 
+  def test_password_redacted
+    source = Gem::Source.new 'https://username:secret@gemsource.com'
+    error  = RuntimeError.new 'test'
+
+    sf = Gem::SourceFetchProblem.new source, error
+
+    refute_match sf.wordy, 'secret'
+  end
 end
 

data/test/rubygems/test_remote_fetch_error.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+require 'rubygems/test_case'
+
+class TestRemoteFetchError < Gem::TestCase
+
+  def test_password_redacted
+    error = Gem::RemoteFetcher::FetchError.new('There was an error fetching', 'https://user:secret@gemsource.org')
+    refute_match error.to_s, 'secret'
+  end
+
+  def test_invalid_url
+    error = Gem::RemoteFetcher::FetchError.new('There was an error fetching', 'https://::gemsource.org')
+    assert_equal error.to_s, 'There was an error fetching (https://::gemsource.org)'
+  end
+
+  def test_to_s
+    error = Gem::RemoteFetcher::FetchError.new('There was an error fetching', 'https://gemsource.org')
+    assert_equal error.to_s, 'There was an error fetching (https://gemsource.org)'
+  end
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.6.3
+  version: 2.6.4
 platform: ruby
 authors:
 - Jim Weirich
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-05 00:00:00.000000000 Z
+date: 2016-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rdoc
@@ -520,6 +520,7 @@ files:
 - test/rubygems/test_gem_version.rb
 - test/rubygems/test_gem_version_option.rb
 - test/rubygems/test_kernel.rb
+- test/rubygems/test_remote_fetch_error.rb
 - test/rubygems/test_require.rb
 - test/rubygems/wrong_key_cert.pem
 - test/rubygems/wrong_key_cert_32.pem
@@ -552,7 +553,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.2
+rubygems_version: 2.6.3
 signing_key: 
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby