bb3359ab8e
This fixes the security issues described at https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in- rubygems/ * gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch: New file. * gnu/packages/ruby.scm (ruby-2.4.3)[source]: Use it. * gnu/local.mk (dist_patch_DATA): Add it.
605 lines
20 KiB
Diff
605 lines
20 KiB
Diff
diff --git lib/rubygems.rb lib/rubygems.rb
|
|
index 0685bcb3c6..a5a9202e56 100644
|
|
--- ruby-2.4.3/lib/rubygems.rb
|
|
+++ ruby-2.4.3/lib/rubygems.rb
|
|
@@ -10,7 +10,7 @@
|
|
require 'thread'
|
|
|
|
module Gem
|
|
- VERSION = "2.6.14"
|
|
+ VERSION = "2.6.14.1"
|
|
end
|
|
|
|
# Must be first since it unloads the prelude from 1.9.2
|
|
diff --git lib/rubygems/commands/owner_command.rb lib/rubygems/commands/owner_command.rb
|
|
index 4b99434e87..2ee7f84462 100644
|
|
--- ruby-2.4.3/lib/rubygems/commands/owner_command.rb
|
|
+++ ruby-2.4.3/lib/rubygems/commands/owner_command.rb
|
|
@@ -62,7 +62,7 @@ def show_owners name
|
|
end
|
|
|
|
with_response response do |resp|
|
|
- owners = YAML.load resp.body
|
|
+ owners = Gem::SafeYAML.load resp.body
|
|
|
|
say "Owners for gem: #{name}"
|
|
owners.each do |owner|
|
|
diff --git lib/rubygems/package.rb lib/rubygems/package.rb
|
|
index 77811ed5ec..b5a5fe2a26 100644
|
|
--- ruby-2.4.3/lib/rubygems/package.rb
|
|
+++ ruby-2.4.3/lib/rubygems/package.rb
|
|
@@ -378,7 +378,7 @@ def extract_tar_gz io, destination_dir, pattern = "*" # :nodoc:
|
|
File.dirname destination
|
|
end
|
|
|
|
- FileUtils.mkdir_p mkdir, mkdir_options
|
|
+ mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name
|
|
|
|
open destination, 'wb' do |out|
|
|
out.write entry.read
|
|
@@ -416,20 +416,35 @@ def install_location filename, destination_dir # :nodoc:
|
|
raise Gem::Package::PathError.new(filename, destination_dir) if
|
|
filename.start_with? '/'
|
|
|
|
- destination_dir = File.realpath destination_dir if
|
|
- File.respond_to? :realpath
|
|
+ destination_dir = realpath destination_dir
|
|
destination_dir = File.expand_path destination_dir
|
|
|
|
destination = File.join destination_dir, filename
|
|
destination = File.expand_path destination
|
|
|
|
raise Gem::Package::PathError.new(destination, destination_dir) unless
|
|
- destination.start_with? destination_dir
|
|
+ destination.start_with? destination_dir + '/'
|
|
|
|
destination.untaint
|
|
destination
|
|
end
|
|
|
|
+ def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name
|
|
+ destination_dir = realpath File.expand_path(destination_dir)
|
|
+ parts = mkdir.split(File::SEPARATOR)
|
|
+ parts.reduce do |path, basename|
|
|
+ path = realpath path unless path == ""
|
|
+ path = File.expand_path(path + File::SEPARATOR + basename)
|
|
+ lstat = File.lstat path rescue nil
|
|
+ if !lstat || !lstat.directory?
|
|
+ unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false)
|
|
+ raise Gem::Package::PathError.new(file_name, destination_dir)
|
|
+ end
|
|
+ end
|
|
+ path
|
|
+ end
|
|
+ end
|
|
+
|
|
##
|
|
# Loads a Gem::Specification from the TarEntry +entry+
|
|
|
|
@@ -603,6 +618,10 @@ def verify_files gem
|
|
raise Gem::Package::FormatError.new \
|
|
'package content (data.tar.gz) is missing', @gem
|
|
end
|
|
+
|
|
+ if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
|
|
+ raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
|
|
+ end
|
|
end
|
|
|
|
##
|
|
@@ -616,6 +635,16 @@ def verify_gz entry # :nodoc:
|
|
raise Gem::Package::FormatError.new(e.message, entry.full_name)
|
|
end
|
|
|
|
+ if File.respond_to? :realpath
|
|
+ def realpath file
|
|
+ File.realpath file
|
|
+ end
|
|
+ else
|
|
+ def realpath file
|
|
+ file
|
|
+ end
|
|
+ end
|
|
+
|
|
end
|
|
|
|
require 'rubygems/package/digest_io'
|
|
diff --git lib/rubygems/package/tar_header.rb lib/rubygems/package/tar_header.rb
|
|
index c54bd14d57..d557357114 100644
|
|
--- ruby-2.4.3/lib/rubygems/package/tar_header.rb
|
|
+++ ruby-2.4.3/lib/rubygems/package/tar_header.rb
|
|
@@ -104,25 +104,30 @@ def self.from(stream)
|
|
fields = header.unpack UNPACK_FORMAT
|
|
|
|
new :name => fields.shift,
|
|
- :mode => fields.shift.oct,
|
|
- :uid => fields.shift.oct,
|
|
- :gid => fields.shift.oct,
|
|
- :size => fields.shift.oct,
|
|
- :mtime => fields.shift.oct,
|
|
- :checksum => fields.shift.oct,
|
|
+ :mode => strict_oct(fields.shift),
|
|
+ :uid => strict_oct(fields.shift),
|
|
+ :gid => strict_oct(fields.shift),
|
|
+ :size => strict_oct(fields.shift),
|
|
+ :mtime => strict_oct(fields.shift),
|
|
+ :checksum => strict_oct(fields.shift),
|
|
:typeflag => fields.shift,
|
|
:linkname => fields.shift,
|
|
:magic => fields.shift,
|
|
- :version => fields.shift.oct,
|
|
+ :version => strict_oct(fields.shift),
|
|
:uname => fields.shift,
|
|
:gname => fields.shift,
|
|
- :devmajor => fields.shift.oct,
|
|
- :devminor => fields.shift.oct,
|
|
+ :devmajor => strict_oct(fields.shift),
|
|
+ :devminor => strict_oct(fields.shift),
|
|
:prefix => fields.shift,
|
|
|
|
:empty => empty
|
|
end
|
|
|
|
+ def self.strict_oct(str)
|
|
+ return str.oct if str =~ /\A[0-7]*\z/
|
|
+ raise ArgumentError, "#{str.inspect} is not an octal string"
|
|
+ end
|
|
+
|
|
##
|
|
# Creates a new TarHeader using +vals+
|
|
|
|
diff --git lib/rubygems/package/tar_writer.rb lib/rubygems/package/tar_writer.rb
|
|
index f68b8d4c5e..390f7851a3 100644
|
|
--- ruby-2.4.3/lib/rubygems/package/tar_writer.rb
|
|
+++ ruby-2.4.3/lib/rubygems/package/tar_writer.rb
|
|
@@ -196,6 +196,8 @@ def add_file_signed name, mode, signer
|
|
digest_name == signer.digest_name
|
|
end
|
|
|
|
+ raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest
|
|
+
|
|
if signer.key then
|
|
signature = signer.sign signature_digest.digest
|
|
|
|
diff --git lib/rubygems/server.rb lib/rubygems/server.rb
|
|
index df4eb566d3..a7b5243ba0 100644
|
|
--- ruby-2.4.3/lib/rubygems/server.rb
|
|
+++ ruby-2.4.3/lib/rubygems/server.rb
|
|
@@ -631,6 +631,18 @@ def root(req, res)
|
|
executables = nil if executables.empty?
|
|
executables.last["is_last"] = true if executables
|
|
|
|
+ # Pre-process spec homepage for safety reasons
|
|
+ begin
|
|
+ homepage_uri = URI.parse(spec.homepage)
|
|
+ if [URI::HTTP, URI::HTTPS].member? homepage_uri.class
|
|
+ homepage_uri = spec.homepage
|
|
+ else
|
|
+ homepage_uri = "."
|
|
+ end
|
|
+ rescue URI::InvalidURIError
|
|
+ homepage_uri = "."
|
|
+ end
|
|
+
|
|
specs << {
|
|
"authors" => spec.authors.sort.join(", "),
|
|
"date" => spec.date.to_s,
|
|
@@ -640,7 +652,7 @@ def root(req, res)
|
|
"only_one_executable" => (executables && executables.size == 1),
|
|
"full_name" => spec.full_name,
|
|
"has_deps" => !deps.empty?,
|
|
- "homepage" => spec.homepage,
|
|
+ "homepage" => homepage_uri,
|
|
"name" => spec.name,
|
|
"rdoc_installed" => Gem::RDoc.new(spec).rdoc_installed?,
|
|
"ri_installed" => Gem::RDoc.new(spec).ri_installed?,
|
|
diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb
|
|
index 40e3a70d47..0a154b9001 100644
|
|
--- ruby-2.4.3/lib/rubygems/specification.rb
|
|
+++ ruby-2.4.3/lib/rubygems/specification.rb
|
|
@@ -15,6 +15,7 @@
|
|
require 'rubygems/stub_specification'
|
|
require 'rubygems/util/list'
|
|
require 'stringio'
|
|
+require 'uri'
|
|
|
|
##
|
|
# The Specification class contains the information for a Gem. Typically
|
|
@@ -2813,10 +2814,16 @@ def validate packaging = true
|
|
raise Gem::InvalidSpecificationException, "#{lazy} is not a summary"
|
|
end
|
|
|
|
- if homepage and not homepage.empty? and
|
|
- homepage !~ /\A[a-z][a-z\d+.-]*:/i then
|
|
- raise Gem::InvalidSpecificationException,
|
|
- "\"#{homepage}\" is not a URI"
|
|
+ # Make sure a homepage is valid HTTP/HTTPS URI
|
|
+ if homepage and not homepage.empty?
|
|
+ begin
|
|
+ homepage_uri = URI.parse(homepage)
|
|
+ unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
|
|
+ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
|
|
+ end
|
|
+ rescue URI::InvalidURIError
|
|
+ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
|
|
+ end
|
|
end
|
|
|
|
# Warnings
|
|
diff --git test/rubygems/test_gem_commands_owner_command.rb test/rubygems/test_gem_commands_owner_command.rb
|
|
index 44652c1093..53cac4ce87 100644
|
|
--- ruby-2.4.3/test/rubygems/test_gem_commands_owner_command.rb
|
|
+++ ruby-2.4.3/test/rubygems/test_gem_commands_owner_command.rb
|
|
@@ -43,6 +43,31 @@ def test_show_owners
|
|
assert_match %r{- 4}, @ui.output
|
|
end
|
|
|
|
+ def test_show_owners_dont_load_objects
|
|
+ skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
|
|
+
|
|
+ response = <<EOF
|
|
+---
|
|
+- email: !ruby/object:Object {}
|
|
+ id: 1
|
|
+ handle: user1
|
|
+- email: user2@example.com
|
|
+- id: 3
|
|
+ handle: user3
|
|
+- id: 4
|
|
+EOF
|
|
+
|
|
+ @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
|
|
+
|
|
+ assert_raises Psych::DisallowedClass do
|
|
+ use_ui @ui do
|
|
+ @cmd.show_owners("freewill")
|
|
+ end
|
|
+ end
|
|
+
|
|
+ end
|
|
+
|
|
+
|
|
def test_show_owners_setting_up_host_through_env_var
|
|
response = "- email: user1@example.com\n"
|
|
host = "http://rubygems.example"
|
|
diff --git test/rubygems/test_gem_package.rb test/rubygems/test_gem_package.rb
|
|
index 9d47f0dea4..5b93475314 100644
|
|
--- ruby-2.4.3/test/rubygems/test_gem_package.rb
|
|
+++ ruby-2.4.3/test/rubygems/test_gem_package.rb
|
|
@@ -455,6 +455,31 @@ def test_extract_tar_gz_symlink_relative_path
|
|
File.read(extracted)
|
|
end
|
|
|
|
+ def test_extract_symlink_parent
|
|
+ skip 'symlink not supported' if Gem.win_platform?
|
|
+
|
|
+ package = Gem::Package.new @gem
|
|
+
|
|
+ tgz_io = util_tar_gz do |tar|
|
|
+ tar.mkdir 'lib', 0755
|
|
+ tar.add_symlink 'lib/link', '../..', 0644
|
|
+ tar.add_file 'lib/link/outside.txt', 0644 do |io| io.write 'hi' end
|
|
+ end
|
|
+
|
|
+ # Extract into a subdirectory of @destination; if this test fails it writes
|
|
+ # a file outside destination_subdir, but we want the file to remain inside
|
|
+ # @destination so it will be cleaned up.
|
|
+ destination_subdir = File.join @destination, 'subdir'
|
|
+ FileUtils.mkdir_p destination_subdir
|
|
+
|
|
+ e = assert_raises Gem::Package::PathError do
|
|
+ package.extract_tar_gz tgz_io, destination_subdir
|
|
+ end
|
|
+
|
|
+ assert_equal("installing into parent path lib/link/outside.txt of " +
|
|
+ "#{destination_subdir} is not allowed", e.message)
|
|
+ end
|
|
+
|
|
def test_extract_tar_gz_directory
|
|
package = Gem::Package.new @gem
|
|
|
|
@@ -566,6 +591,21 @@ def test_install_location_relative
|
|
"#{@destination} is not allowed", e.message)
|
|
end
|
|
|
|
+ def test_install_location_suffix
|
|
+ package = Gem::Package.new @gem
|
|
+
|
|
+ filename = "../#{File.basename(@destination)}suffix.rb"
|
|
+
|
|
+ e = assert_raises Gem::Package::PathError do
|
|
+ package.install_location filename, @destination
|
|
+ end
|
|
+
|
|
+ parent = File.expand_path File.join @destination, filename
|
|
+
|
|
+ assert_equal("installing into parent path #{parent} of " +
|
|
+ "#{@destination} is not allowed", e.message)
|
|
+ end
|
|
+
|
|
def test_load_spec
|
|
entry = StringIO.new Gem.gzip @spec.to_yaml
|
|
def entry.full_name() 'metadata.gz' end
|
|
@@ -723,6 +763,32 @@ def test_verify_nonexistent
|
|
assert_match %r%nonexistent.gem$%, e.message
|
|
end
|
|
|
|
+ def test_verify_duplicate_file
|
|
+ FileUtils.mkdir_p 'lib'
|
|
+ FileUtils.touch 'lib/code.rb'
|
|
+
|
|
+ build = Gem::Package.new @gem
|
|
+ build.spec = @spec
|
|
+ build.setup_signer
|
|
+ open @gem, 'wb' do |gem_io|
|
|
+ Gem::Package::TarWriter.new gem_io do |gem|
|
|
+ build.add_metadata gem
|
|
+ build.add_contents gem
|
|
+
|
|
+ gem.add_file_simple 'a.sig', 0444, 0
|
|
+ gem.add_file_simple 'a.sig', 0444, 0
|
|
+ end
|
|
+ end
|
|
+
|
|
+ package = Gem::Package.new @gem
|
|
+
|
|
+ e = assert_raises Gem::Security::Exception do
|
|
+ package.verify
|
|
+ end
|
|
+
|
|
+ assert_equal 'duplicate files in the package: ("a.sig")', e.message
|
|
+ end
|
|
+
|
|
def test_verify_security_policy
|
|
skip 'openssl is missing' unless defined?(OpenSSL::SSL)
|
|
|
|
@@ -780,7 +846,13 @@ def test_verify_security_policy_checksum_missing
|
|
|
|
# write bogus data.tar.gz to foil signature
|
|
bogus_data = Gem.gzip 'hello'
|
|
- gem.add_file_simple 'data.tar.gz', 0444, bogus_data.length do |io|
|
|
+ fake_signer = Class.new do
|
|
+ def digest_name; 'SHA512'; end
|
|
+ def digest_algorithm; Digest(:SHA512); end
|
|
+ def key; 'key'; end
|
|
+ def sign(*); 'fake_sig'; end
|
|
+ end
|
|
+ gem.add_file_signed 'data2.tar.gz', 0444, fake_signer.new do |io|
|
|
io.write bogus_data
|
|
end
|
|
|
|
diff --git test/rubygems/test_gem_package_tar_header.rb test/rubygems/test_gem_package_tar_header.rb
|
|
index d33877057d..43f508df45 100644
|
|
--- ruby-2.4.3/test/rubygems/test_gem_package_tar_header.rb
|
|
+++ ruby-2.4.3/test/rubygems/test_gem_package_tar_header.rb
|
|
@@ -143,5 +143,26 @@ def test_update_checksum
|
|
assert_equal '012467', @tar_header.checksum
|
|
end
|
|
|
|
+ def test_from_bad_octal
|
|
+ test_cases = [
|
|
+ "00000006,44\000", # bogus character
|
|
+ "00000006789\000", # non-octal digit
|
|
+ "+0000001234\000", # positive sign
|
|
+ "-0000001000\000", # negative sign
|
|
+ "0x000123abc\000", # radix prefix
|
|
+ ]
|
|
+
|
|
+ test_cases.each do |val|
|
|
+ header_s = @tar_header.to_s
|
|
+ # overwrite the size field
|
|
+ header_s[124, 12] = val
|
|
+ io = TempIO.new header_s
|
|
+ assert_raises ArgumentError do
|
|
+ new_header = Gem::Package::TarHeader.from io
|
|
+ end
|
|
+ io.close! if io.respond_to? :close!
|
|
+ end
|
|
+ end
|
|
+
|
|
end
|
|
|
|
diff --git test/rubygems/test_gem_server.rb test/rubygems/test_gem_server.rb
|
|
index 4873fac5b6..96ed9194e9 100644
|
|
--- ruby-2.4.3/test/rubygems/test_gem_server.rb
|
|
+++ ruby-2.4.3/test/rubygems/test_gem_server.rb
|
|
@@ -336,6 +336,171 @@ def test_root_gemdirs
|
|
assert_match 'z 9', @res.body
|
|
end
|
|
|
|
+
|
|
+ def test_xss_homepage_fix_289313
|
|
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
|
|
+ dir = "#{@gemhome}2"
|
|
+
|
|
+ spec = util_spec 'xsshomepagegem', 1
|
|
+ spec.homepage = "javascript:confirm(document.domain)"
|
|
+
|
|
+ specs_dir = File.join dir, 'specifications'
|
|
+ FileUtils.mkdir_p specs_dir
|
|
+
|
|
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
|
|
+ io.write spec.to_ruby
|
|
+ end
|
|
+
|
|
+ server = Gem::Server.new dir, process_based_port, false
|
|
+
|
|
+ @req.parse data
|
|
+
|
|
+ server.root @req, @res
|
|
+
|
|
+ assert_equal 200, @res.status
|
|
+ assert_match 'xsshomepagegem 1', @res.body
|
|
+
|
|
+ # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a
|
|
+ # valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here,
|
|
+ # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be
|
|
+ # validated in future versions of Gem::Specification.
|
|
+ #
|
|
+ # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
|
|
+ #
|
|
+ # Variant #1 - rdoc not installed
|
|
+ #
|
|
+ # <b>xsshomepagegem 1</b>
|
|
+ #
|
|
+ #
|
|
+ # <span title="rdoc not installed">[rdoc]</span>
|
|
+ #
|
|
+ #
|
|
+ #
|
|
+ # <a href="." title=".">[www]</a>
|
|
+ #
|
|
+ # Variant #2 - rdoc installed
|
|
+ #
|
|
+ # <b>xsshomepagegem 1</b>
|
|
+ #
|
|
+ #
|
|
+ # <a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>
|
|
+ #
|
|
+ #
|
|
+ #
|
|
+ # <a href="." title=".">[www]</a>
|
|
+ regex_match = /xsshomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
|
|
+ assert_match regex_match, @res.body
|
|
+ end
|
|
+
|
|
+ def test_invalid_homepage
|
|
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
|
|
+ dir = "#{@gemhome}2"
|
|
+
|
|
+ spec = util_spec 'invalidhomepagegem', 1
|
|
+ spec.homepage = "notavalidhomepageurl"
|
|
+
|
|
+ specs_dir = File.join dir, 'specifications'
|
|
+ FileUtils.mkdir_p specs_dir
|
|
+
|
|
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
|
|
+ io.write spec.to_ruby
|
|
+ end
|
|
+
|
|
+ server = Gem::Server.new dir, process_based_port, false
|
|
+
|
|
+ @req.parse data
|
|
+
|
|
+ server.root @req, @res
|
|
+
|
|
+ assert_equal 200, @res.status
|
|
+ assert_match 'invalidhomepagegem 1', @res.body
|
|
+
|
|
+ # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a
|
|
+ # valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here,
|
|
+ # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be
|
|
+ # validated in future versions of Gem::Specification.
|
|
+ #
|
|
+ # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
|
|
+ #
|
|
+ # Variant #1 - rdoc not installed
|
|
+ #
|
|
+ # <b>invalidhomepagegem 1</b>
|
|
+ #
|
|
+ #
|
|
+ # <span title="rdoc not installed">[rdoc]</span>
|
|
+ #
|
|
+ #
|
|
+ #
|
|
+ # <a href="." title=".">[www]</a>
|
|
+ #
|
|
+ # Variant #2 - rdoc installed
|
|
+ #
|
|
+ # <b>invalidhomepagegem 1</b>
|
|
+ #
|
|
+ #
|
|
+ # <a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>
|
|
+ #
|
|
+ #
|
|
+ #
|
|
+ # <a href="." title=".">[www]</a>
|
|
+ regex_match = /invalidhomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
|
|
+ assert_match regex_match, @res.body
|
|
+ end
|
|
+
|
|
+ def test_valid_homepage_http
|
|
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
|
|
+ dir = "#{@gemhome}2"
|
|
+
|
|
+ spec = util_spec 'validhomepagegemhttp', 1
|
|
+ spec.homepage = "http://rubygems.org"
|
|
+
|
|
+ specs_dir = File.join dir, 'specifications'
|
|
+ FileUtils.mkdir_p specs_dir
|
|
+
|
|
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
|
|
+ io.write spec.to_ruby
|
|
+ end
|
|
+
|
|
+ server = Gem::Server.new dir, process_based_port, false
|
|
+
|
|
+ @req.parse data
|
|
+
|
|
+ server.root @req, @res
|
|
+
|
|
+ assert_equal 200, @res.status
|
|
+ assert_match 'validhomepagegemhttp 1', @res.body
|
|
+
|
|
+ regex_match = /validhomepagegemhttp 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttp-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="http:\/\/rubygems\.org" title="http:\/\/rubygems\.org">\[www\]<\/a>/
|
|
+ assert_match regex_match, @res.body
|
|
+ end
|
|
+
|
|
+ def test_valid_homepage_https
|
|
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
|
|
+ dir = "#{@gemhome}2"
|
|
+
|
|
+ spec = util_spec 'validhomepagegemhttps', 1
|
|
+ spec.homepage = "https://rubygems.org"
|
|
+
|
|
+ specs_dir = File.join dir, 'specifications'
|
|
+ FileUtils.mkdir_p specs_dir
|
|
+
|
|
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
|
|
+ io.write spec.to_ruby
|
|
+ end
|
|
+
|
|
+ server = Gem::Server.new dir, process_based_port, false
|
|
+
|
|
+ @req.parse data
|
|
+
|
|
+ server.root @req, @res
|
|
+
|
|
+ assert_equal 200, @res.status
|
|
+ assert_match 'validhomepagegemhttps 1', @res.body
|
|
+
|
|
+ regex_match = /validhomepagegemhttps 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttps-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="https:\/\/rubygems\.org" title="https:\/\/rubygems\.org">\[www\]<\/a>/
|
|
+ assert_match regex_match, @res.body
|
|
+ end
|
|
+
|
|
def test_specs
|
|
data = StringIO.new "GET /specs.#{Gem.marshal_version} HTTP/1.0\r\n\r\n"
|
|
@req.parse data
|
|
diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb
|
|
index 0fcc11e78f..1c68826fb3 100644
|
|
--- ruby-2.4.3/test/rubygems/test_gem_specification.rb
|
|
+++ ruby-2.4.3/test/rubygems/test_gem_specification.rb
|
|
@@ -2890,7 +2890,22 @@ def test_validate_homepage
|
|
@a1.validate
|
|
end
|
|
|
|
- assert_equal '"over at my cool site" is not a URI', e.message
|
|
+ assert_equal '"over at my cool site" is not a valid HTTP URI', e.message
|
|
+
|
|
+ @a1.homepage = 'ftp://rubygems.org'
|
|
+
|
|
+ e = assert_raises Gem::InvalidSpecificationException do
|
|
+ @a1.validate
|
|
+ end
|
|
+
|
|
+ assert_equal '"ftp://rubygems.org" is not a valid HTTP URI', e.message
|
|
+
|
|
+ @a1.homepage = 'http://rubygems.org'
|
|
+ assert_equal true, @a1.validate
|
|
+
|
|
+ @a1.homepage = 'https://rubygems.org'
|
|
+ assert_equal true, @a1.validate
|
|
+
|
|
end
|
|
end
|
|
|