merge revision(s) 50829: [Backport #11248]

* lib/rubygems.rb: bump version to 2.0.14.1. this version fixed CVE-2015-3900. * lib/rubygems/remote_fetcher.rb: ditto. * test/rubygems/test_gem_remote_fetcher.rb: added testcase for CVE-2015-3900 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_0_0@51628 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2025-08-15 13:39:04 +02:00 · 2015-08-18 13:01:02 +00:00 · 2015-08-18 13:01:02 +00:00 · ec54e6433f
commit ec54e6433f
parent bd00df2f1a
4 changed files with 65 additions and 5 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+Tue Aug 18 22:00:12 2015  SHIBATA Hiroshi  <hsbt@ruby-lang.org>
+
+	* lib/rubygems.rb: bump version to 2.0.14.1. this version fixed
+	  CVE-2015-3900.
+
+	* lib/rubygems/remote_fetcher.rb: ditto.
+
+	* test/rubygems/test_gem_remote_fetcher.rb: added testcase for CVE-2015-3900
+
 Tue Jun  2 00:10:14 2015  NAKAMURA Usaku  <usa@ruby-lang.org>

 	* lib/resolv.rb (Requester#request): typo, regression introduced at
--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
@ -8,7 +8,7 @@
 require 'rbconfig'

 module Gem
-  VERSION = '2.0.14'
+  VERSION = '2.0.14.1'
 end

 # Must be first since it unloads the prelude from 1.9.2
--- a/lib/rubygems/remote_fetcher.rb
+++ b/lib/rubygems/remote_fetcher.rb
@ -103,7 +103,13 @@ class Gem::RemoteFetcher
    rescue Resolv::ResolvError
      uri
    else
-      URI.parse "#{res.target}#{uri.path}"
+      target = res.target.to_s.strip
+
+      if /\.#{Regexp.quote(host)}\z/ =~ target
+        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+      end
+
+      uri
    end
  end

--- a/test/rubygems/test_gem_remote_fetcher.rb
+++ b/test/rubygems/test_gem_remote_fetcher.rb
@ -177,15 +177,60 @@ gems:
  end

  def test_api_endpoint
-    uri = URI.parse "http://gems.example.com/foo"
+    uri = URI.parse "http://example.com/foo"
    target = MiniTest::Mock.new
-    target.expect :target, "http://blah.com"
+    target.expect :target, "gems.example.com"

    dns = MiniTest::Mock.new
    dns.expect :getresource, target, [String, Object]

    fetch = Gem::RemoteFetcher.new nil, dns
-    assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values
+    uri = URI.parse "http://gems.example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "blah.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "example.combadguy.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+    uri = URI.parse "http://example.com/foo"
+    target = MiniTest::Mock.new
+    target.expect :target, "badexample.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)

    target.verify
    dns.verify