ruby-changes:31727
From: drbrain <ko1@a...>
Date: Sat, 23 Nov 2013 03:53:30 +0900 (JST)
Subject: [ruby-changes:31727] drbrain:r43806 (trunk): * lib/rubygems: Update to RubyGems master dcce4ff. Important changes
drbrain 2013-11-23 03:53:21 +0900 (Sat, 23 Nov 2013) New Revision: 43806 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=43806 Log: * lib/rubygems: Update to RubyGems master dcce4ff. Important changes in this commit: Remove automatic detection of gem dependencies files. This prevents a security hole as described in [ruby-core:58490] Fixed bugs for installing git gems. * test/rubygems: ditto. Modified files: trunk/ChangeLog trunk/lib/rubygems/resolver/composed_set.rb trunk/lib/rubygems/source/git.rb trunk/lib/rubygems/specification.rb trunk/lib/rubygems.rb trunk/test/rubygems/test_gem.rb trunk/test/rubygems/test_gem_source_git.rb trunk/test/rubygems/test_gem_specification.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 43805) +++ ChangeLog (revision 43806) @@ -1,3 +1,15 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Sat Nov 23 03:44:03 2013 Eric Hodel <drbrain@s...> + + * lib/rubygems: Update to RubyGems master dcce4ff. Important changes + in this commit: + + Remove automatic detection of gem dependencies files. This prevents a + security hole as described in [ruby-core:58490] + + Fixed bugs for installing git gems. + + * test/rubygems: ditto. + Fri Nov 22 22:30:00 2013 Kenta Murata <mrkn@m...> * ext/bigdecimal/bigdecimal.c (BigDecimal_power): Index: lib/rubygems/specification.rb =================================================================== --- lib/rubygems/specification.rb (revision 43805) +++ lib/rubygems/specification.rb (revision 43806) @@ -2177,7 +2177,7 @@ class Gem::Specification < Gem::BasicSpe https://github.com/ruby/ruby/blob/trunk/lib/rubygems/specification.rb#L2177 # Used by Gem::Resolver to order Gem::Specification objects def source # :nodoc: - self + Gem::Source::Installed.new end ## Index: lib/rubygems/source/git.rb =================================================================== --- lib/rubygems/source/git.rb (revision 43805) +++ lib/rubygems/source/git.rb (revision 43806) @@ -121,6 +121,12 @@ class Gem::Source::Git < Gem::Source https://github.com/ruby/ruby/blob/trunk/lib/rubygems/source/git.rb#L121 end ## + # Nothing to download for git gems + + def download full_spec, path # :nodoc: + end + + ## # The directory where the git gem will be installed. def install_dir # :nodoc: Index: lib/rubygems/resolver/composed_set.rb =================================================================== --- lib/rubygems/resolver/composed_set.rb (revision 43805) +++ lib/rubygems/resolver/composed_set.rb (revision 43806) @@ -23,9 +23,9 @@ class Gem::Resolver::ComposedSet < Gem:: https://github.com/ruby/ruby/blob/trunk/lib/rubygems/resolver/composed_set.rb#L23 # Finds all specs matching +req+ in all sets. def find_all req - res = [] - @sets.each { |s| res += s.find_all(req) } - res + @sets.map do |s| + s.find_all req + end.flatten end ## Index: lib/rubygems.rb =================================================================== --- lib/rubygems.rb (revision 43805) +++ lib/rubygems.rb (revision 43806) @@ -8,7 +8,7 @@ https://github.com/ruby/ruby/blob/trunk/lib/rubygems.rb#L8 require 'rbconfig' module Gem - VERSION = '2.2.0.preview.2' + VERSION = '2.2.0' end # Must be first since it unloads the prelude from 1.9.2 @@ -995,12 +995,16 @@ module Gem https://github.com/ruby/ruby/blob/trunk/lib/rubygems.rb#L995 # Looks for gem dependency files (gem.deps.rb, Gemfile, Isolate) from the # current directory up and activates the gems in the first file found. # - # This is run automatically when rubygems starts. To disable, set - # the <code>RUBYGEMS_GEMDEPS=</code> environment variable to an empty - # string. + # You can run this automatically when rubygems starts. To enable, set + # the <code>RUBYGEMS_GEMDEPS</code> environment variable to either the path + # of your Gemfile or "-" to auto-discover in parent directories. + # + # NOTE: Enabling automatic discovery on multiuser systems can lead to + # execution of arbitrary code when used from directories outside your + # control. def self.use_gemdeps - return unless path = ENV['RUBYGEMS_GEMDEPS'] || '-' + return unless path = ENV['RUBYGEMS_GEMDEPS'] path = path.dup.untaint if path == "-" Index: test/rubygems/test_gem.rb =================================================================== --- test/rubygems/test_gem.rb (revision 43805) +++ test/rubygems/test_gem.rb (revision 43806) @@ -1258,6 +1258,24 @@ class TestGem < Gem::TestCase https://github.com/ruby/ruby/blob/trunk/test/rubygems/test_gem.rb#L1258 Gem.use_gemdeps + refute spec.activated? + ensure + ENV['RUBYGEMS_GEMDEPS'] = rubygems_gemdeps + end + + def test_use_gemdeps_automatic + rubygems_gemdeps, ENV['RUBYGEMS_GEMDEPS'] = ENV['RUBYGEMS_GEMDEPS'], '-' + + spec = util_spec 'a', 1 + + refute spec.activated? + + open 'Gemfile', 'w' do |io| + io.write 'gem "a"' + end + + Gem.use_gemdeps + assert spec.activated? ensure ENV['RUBYGEMS_GEMDEPS'] = rubygems_gemdeps Index: test/rubygems/test_gem_specification.rb =================================================================== --- test/rubygems/test_gem_specification.rb (revision 43805) +++ test/rubygems/test_gem_specification.rb (revision 43806) @@ -1738,6 +1738,10 @@ dependencies: [] https://github.com/ruby/ruby/blob/trunk/test/rubygems/test_gem_specification.rb#L1738 RbConfig::CONFIG['ENABLE_SHARED'] = enable_shared end + def test_source + assert_kind_of Gem::Source::Installed, @a1.source + end + def test_full_require_paths ext_spec Index: test/rubygems/test_gem_source_git.rb =================================================================== --- test/rubygems/test_gem_source_git.rb (revision 43805) +++ test/rubygems/test_gem_source_git.rb (revision 43806) @@ -51,6 +51,10 @@ class TestGemSourceGit < Gem::TestCase https://github.com/ruby/ruby/blob/trunk/test/rubygems/test_gem_source_git.rb#L51 assert_equal @head[0..11], @source.dir_shortref end + def test_download + refute @source.download nil, nil + end + def test_equals2 assert_equal @source, @source -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/