ruby-changes:27090
From: drbrain <ko1@a...>
Date: Fri, 8 Feb 2013 08:21:35 +0900 (JST)
Subject: [ruby-changes:27090] drbrain:r39142 (trunk): * lib/rubygems/package/old.rb: Disallow installation of old-format
drbrain 2013-02-08 07:48:35 +0900 (Fri, 08 Feb 2013) New Revision: 39142 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=39142 Log: * lib/rubygems/package/old.rb: Disallow installation of old-format gems when a security policy is active. * test/rubygems/test_gem_package_old.rb: Test for above. Modified files: trunk/ChangeLog trunk/lib/rubygems/package/old.rb trunk/test/rubygems/test_gem_package_old.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 39141) +++ ChangeLog (revision 39142) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Fri Feb 8 07:47:56 2013 Eric Hodel <drbrain@s...> + + * lib/rubygems/package/old.rb: Disallow installation of old-format + gems when a security policy is active. + * test/rubygems/test_gem_package_old.rb: Test for above. + Fri Feb 8 07:34:00 2013 Zachary Scott <zachary@z...> * lib/net/http.rb (HTTP.post_form): Fix module scope in documentation Index: lib/rubygems/package/old.rb =================================================================== --- lib/rubygems/package/old.rb (revision 39141) +++ lib/rubygems/package/old.rb (revision 39142) @@ -32,6 +32,8 @@ class Gem::Package::Old < Gem::Package https://github.com/ruby/ruby/blob/trunk/lib/rubygems/package/old.rb#L32 # A list of file names contained in this gem def contents + verify + return @contents if @contents open @gem, 'rb' do |io| @@ -46,6 +48,8 @@ class Gem::Package::Old < Gem::Package https://github.com/ruby/ruby/blob/trunk/lib/rubygems/package/old.rb#L48 # Extracts the files in this package into +destination_dir+ def extract_files destination_dir + verify + errstr = "Error reading files from gem" open @gem, 'rb' do |io| @@ -125,6 +129,8 @@ class Gem::Package::Old < Gem::Package https://github.com/ruby/ruby/blob/trunk/lib/rubygems/package/old.rb#L129 # The specification for this gem def spec + verify + return @spec if @spec yaml = '' @@ -143,5 +149,19 @@ class Gem::Package::Old < Gem::Package https://github.com/ruby/ruby/blob/trunk/lib/rubygems/package/old.rb#L149 raise Gem::Exception, "Failed to parse gem specification out of gem file" end + ## + # Raises an exception if a security policy that verifies data is active. + # Old format gems cannot be verified as signed. + + def verify + return true unless @security_policy + + raise Gem::Security::Exception, + 'old format gems do not contain signatures and cannot be verified' if + @security_policy.verify_data + + true + end + end Index: test/rubygems/test_gem_package_old.rb =================================================================== --- test/rubygems/test_gem_package_old.rb (revision 39141) +++ test/rubygems/test_gem_package_old.rb (revision 39142) @@ -18,6 +18,14 @@ class TestGemPackageOld < Gem::TestCase https://github.com/ruby/ruby/blob/trunk/test/rubygems/test_gem_package_old.rb#L18 assert_equal %w[lib/foo.rb lib/test.rb lib/test/wow.rb], @package.contents end + def test_contents_security_policy + @package.security_policy = Gem::Security::AlmostNoSecurity + + assert_raises Gem::Security::Exception do + @package.contents + end + end + def test_extract_files @package.extract_files @destination @@ -29,9 +37,43 @@ class TestGemPackageOld < Gem::TestCase https://github.com/ruby/ruby/blob/trunk/test/rubygems/test_gem_package_old.rb#L37 assert_equal mask, File.stat(extracted).mode unless win_platform? end + def test_extract_files_security_policy + @package.security_policy = Gem::Security::AlmostNoSecurity + + assert_raises Gem::Security::Exception do + @package.extract_files @destination + end + end + def test_spec assert_equal 'testing', @package.spec.name end + def test_spec_security_policy + @package.security_policy = Gem::Security::AlmostNoSecurity + + assert_raises Gem::Security::Exception do + @package.spec + end + end + + def test_verify + assert @package.verify + + @package.security_policy = Gem::Security::NoSecurity + + assert @package.verify + + @package.security_policy = Gem::Security::AlmostNoSecurity + + e = assert_raises Gem::Security::Exception do + @package.verify + end + + assert_equal 'old format gems do not contain signatures ' + + 'and cannot be verified', + e.message + end + end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/