From a9e033b104921bfa0dc4e3d99df1acc9f1258db4 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 14 Jan 2015 07:45:28 +0000
Subject: [PATCH] downloader.rb: verify gems

* tool/downloader.rb (RubyGems.download): verify downloaded gem
  packages.  LowSecurity to allow untrusted certificates now.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49251 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog          |  5 +++++
 tool/downloader.rb | 26 ++++++++++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index dbd882e818..f591f2c41e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Wed Jan 14 16:45:24 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* tool/downloader.rb (RubyGems.download): verify downloaded gem
+	  packages.  LowSecurity to allow untrusted certificates now.
+
 Wed Jan 14 15:43:48 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* ext/readline/readline.c (readline_s_refresh_line): initialize
diff --git a/tool/downloader.rb b/tool/downloader.rb
index 1da09288c7..7cd0db2786 100644
--- a/tool/downloader.rb
+++ b/tool/downloader.rb
@@ -38,11 +38,29 @@ class Downloader
 
   class RubyGems < self
     def self.download(name, dir = nil, ims = true, options = {})
+      require 'rubygems'
+      require 'rubygems/package'
       options[:ssl_ca_cert] = Dir.glob(File.expand_path("../lib/rubygems/ssl_certs/*.pem", File.dirname(__FILE__)))
       if $rubygems_schema != 'https'
         warn "*** using http instead of https ***"
       end
-      super("#{$rubygems_schema}://rubygems.org/downloads/#{name}", name, dir, ims, options)
+      file = under(dir, name)
+      super("#{$rubygems_schema}://rubygems.org/downloads/#{name}", file, nil, ims, options) or
+        return false
+      pkg = Gem::Package.new(file)
+      pkg.security_policy = Gem::Security::LowSecurity
+      begin
+        pkg.verify
+      rescue Gem::Security::Exception => e
+        $stderr.puts e.message
+        File.unlink(file)
+        false
+      else
+        true
+      end
+    end
+
+    def self.verify(pkg)
     end
   end
 
@@ -86,7 +104,7 @@ class Downloader
   #   download 'http://www.unicode.org/Public/UCD/latest/ucd/UnicodeData.txt',
   #            'UnicodeData.txt', 'enc/unicode/data'
   def self.download(url, name, dir = nil, ims = true, options = {})
-    file = dir ? File.join(dir, File.basename(name)) : name
+    file = under(dir, name)
     if ims.nil? and File.exist?(file)
       if $VERBOSE
         $stdout.puts "#{name} already exists"
@@ -141,6 +159,10 @@ class Downloader
   rescue => e
     raise "failed to download #{name}\n#{e.message}: #{url}"
   end
+
+  def self.under(dir, name)
+    dir ? File.join(dir, File.basename(name)) : name
+  end
 end
 
 if $0 == __FILE__