Merge rubygems-2.6.14 changes.
It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60149 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
6d86ee593a
commit
500f15e507
@ -10,7 +10,7 @@ require 'rbconfig'
|
|||||||
require 'thread'
|
require 'thread'
|
||||||
|
|
||||||
module Gem
|
module Gem
|
||||||
VERSION = "2.6.13"
|
VERSION = "2.6.14"
|
||||||
end
|
end
|
||||||
|
|
||||||
# Must be first since it unloads the prelude from 1.9.2
|
# Must be first since it unloads the prelude from 1.9.2
|
||||||
@ -690,7 +690,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
|
|||||||
|
|
||||||
unless test_syck
|
unless test_syck
|
||||||
begin
|
begin
|
||||||
gem 'psych', '>= 1.2.1'
|
gem 'psych', '>= 2.0.0'
|
||||||
rescue Gem::LoadError
|
rescue Gem::LoadError
|
||||||
# It's OK if the user does not have the psych gem installed. We will
|
# It's OK if the user does not have the psych gem installed. We will
|
||||||
# attempt to require the stdlib version
|
# attempt to require the stdlib version
|
||||||
@ -714,6 +714,7 @@ An Array (#{env.inspect}) was passed in from #{caller[3]}
|
|||||||
end
|
end
|
||||||
|
|
||||||
require 'yaml'
|
require 'yaml'
|
||||||
|
require 'rubygems/safe_yaml'
|
||||||
|
|
||||||
# If we're supposed to be using syck, then we may have to force
|
# If we're supposed to be using syck, then we may have to force
|
||||||
# activate it via the YAML::ENGINE API.
|
# activate it via the YAML::ENGINE API.
|
||||||
|
@ -354,7 +354,7 @@ if you believe they were disclosed to a third party.
|
|||||||
return {} unless filename and File.exist? filename
|
return {} unless filename and File.exist? filename
|
||||||
|
|
||||||
begin
|
begin
|
||||||
content = YAML.load(File.read(filename))
|
content = Gem::SafeYAML.load(File.read(filename))
|
||||||
unless content.kind_of? Hash
|
unless content.kind_of? Hash
|
||||||
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
|
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
|
||||||
return {}
|
return {}
|
||||||
|
@ -468,7 +468,7 @@ EOM
|
|||||||
|
|
||||||
@checksums = gem.seek 'checksums.yaml.gz' do |entry|
|
@checksums = gem.seek 'checksums.yaml.gz' do |entry|
|
||||||
Zlib::GzipReader.wrap entry do |gz_io|
|
Zlib::GzipReader.wrap entry do |gz_io|
|
||||||
YAML.load gz_io.read
|
Gem::SafeYAML.safe_load gz_io.read
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -101,7 +101,7 @@ class Gem::Package::Old < Gem::Package
|
|||||||
header << line
|
header << line
|
||||||
end
|
end
|
||||||
|
|
||||||
YAML.load header
|
Gem::SafeYAML.safe_load header
|
||||||
end
|
end
|
||||||
|
|
||||||
##
|
##
|
||||||
|
48
lib/rubygems/safe_yaml.rb
Normal file
48
lib/rubygems/safe_yaml.rb
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
module Gem
|
||||||
|
|
||||||
|
###
|
||||||
|
# This module is used for safely loading YAML specs from a gem. The
|
||||||
|
# `safe_load` method defined on this module is specifically designed for
|
||||||
|
# loading Gem specifications. For loading other YAML safely, please see
|
||||||
|
# Psych.safe_load
|
||||||
|
|
||||||
|
module SafeYAML
|
||||||
|
WHITELISTED_CLASSES = %w(
|
||||||
|
Symbol
|
||||||
|
Time
|
||||||
|
Date
|
||||||
|
Gem::Dependency
|
||||||
|
Gem::Platform
|
||||||
|
Gem::Requirement
|
||||||
|
Gem::Specification
|
||||||
|
Gem::Version
|
||||||
|
Gem::Version::Requirement
|
||||||
|
YAML::Syck::DefaultKey
|
||||||
|
Syck::DefaultKey
|
||||||
|
)
|
||||||
|
|
||||||
|
WHITELISTED_SYMBOLS = %w(
|
||||||
|
development
|
||||||
|
runtime
|
||||||
|
)
|
||||||
|
|
||||||
|
if ::YAML.respond_to? :safe_load
|
||||||
|
def self.safe_load input
|
||||||
|
::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
|
||||||
|
end
|
||||||
|
|
||||||
|
def self.load input
|
||||||
|
::YAML.safe_load(input, [::Symbol])
|
||||||
|
end
|
||||||
|
else
|
||||||
|
warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
|
||||||
|
def self.safe_load input, *args
|
||||||
|
::YAML.load input
|
||||||
|
end
|
||||||
|
|
||||||
|
def self.load input
|
||||||
|
::YAML.load input
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
@ -1128,7 +1128,7 @@ class Gem::Specification < Gem::BasicSpecification
|
|||||||
Gem.load_yaml
|
Gem.load_yaml
|
||||||
|
|
||||||
input = normalize_yaml_input input
|
input = normalize_yaml_input input
|
||||||
spec = YAML.load input
|
spec = Gem::SafeYAML.safe_load input
|
||||||
|
|
||||||
if spec && spec.class == FalseClass then
|
if spec && spec.class == FalseClass then
|
||||||
raise Gem::EndOfYAMLException
|
raise Gem::EndOfYAMLException
|
||||||
|
Loading…
x
Reference in New Issue
Block a user