merge revision(s) 62244,62246,62301,62302,62303,62422,62436,62452: [Backport #14481]

Merge RubyGems-2.7.5 from upstream.

	  Please see its details: http://blog.rubygems.org/2018/02/06/2.7.5-released.html

	test_gem_util.rb: fix broken test

	* test/rubygems/test_gem_util.rb: no guarantee that tmpdir is
	  always underneath the root directory at all.

	test_gem_commands_setup_command.rb: BUNDLER_VERS

	* test/rubygems/test_gem_commands_setup_command.rb: run bundled
	  gem command, instead of installed one.

	no need to set bundled bundler unless Gem::USE_BUNDLER_FOR_GEMDEPS


	revert r62302 and force to define the version constant


	Merge RubyGems 2.7.6 from upstream.

	  It fixed some security vulnerabilities.

	  http://blog.rubygems.org/2018/02/15/2.7.6-released.html

	fix regexp literal warning.

	test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
	[Bug #14481]

	Remove unnecessary `[]`s

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62837 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

lib/rubygems/package.rb

@@ -219,7 +219,7 @@ class Gem::Package
       next unless stat.file?
 
       tar.add_file_simple file, stat.mode, stat.size do |dst_io|
-        open file, 'rb' do |src_io|
+        File.open file, 'rb' do |src_io|
           dst_io.write src_io.read 16384 until src_io.eof?
         end
       end
@@ -378,9 +378,9 @@ EOM
             File.dirname destination
           end
 
-        FileUtils.mkdir_p mkdir, mkdir_options
+        mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name
 
-        open destination, 'wb' do |out|
+        File.open destination, 'wb' do |out|
           out.write entry.read
           FileUtils.chmod entry.header.mode, destination
         end if entry.file?
@@ -416,20 +416,35 @@ EOM
     raise Gem::Package::PathError.new(filename, destination_dir) if
       filename.start_with? '/'
 
-    destination_dir = File.realpath destination_dir if
-      File.respond_to? :realpath
+    destination_dir = realpath destination_dir
     destination_dir = File.expand_path destination_dir
 
     destination = File.join destination_dir, filename
     destination = File.expand_path destination
 
     raise Gem::Package::PathError.new(destination, destination_dir) unless
-      destination.start_with? destination_dir
+      destination.start_with? destination_dir + '/'
 
     destination.untaint
     destination
   end
 
+  def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name
+    destination_dir = realpath File.expand_path(destination_dir)
+    parts = mkdir.split(File::SEPARATOR)
+    parts.reduce do |path, basename|
+      path = realpath path  unless path == ""
+      path = File.expand_path(path + File::SEPARATOR + basename)
+      lstat = File.lstat path rescue nil
+      if !lstat || !lstat.directory?
+        unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false)
+          raise Gem::Package::PathError.new(file_name, destination_dir)
+        end
+      end
+      path
+    end
+  end
+
   ##
   # Loads a Gem::Specification from the TarEntry +entry+
 
@@ -603,6 +618,10 @@ EOM
       raise Gem::Package::FormatError.new \
               'package content (data.tar.gz) is missing', @gem
     end
+
+    if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
+      raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
+    end
   end
 
   ##
@@ -616,6 +635,16 @@ EOM
     raise Gem::Package::FormatError.new(e.message, entry.full_name)
   end
 
+  if File.respond_to? :realpath
+    def realpath file
+      File.realpath file
+    end
+  else
+    def realpath file
+      file
+    end
+  end
+
 end
 
 require 'rubygems/package/digest_io'