ruby-changes:37170
From: nobu <ko1@a...>
Date: Wed, 14 Jan 2015 16:45:57 +0900 (JST)
Subject: [ruby-changes:37170] nobu:r49251 (trunk): downloader.rb: verify gems
nobu 2015-01-14 16:45:28 +0900 (Wed, 14 Jan 2015) New Revision: 49251 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=49251 Log: downloader.rb: verify gems * tool/downloader.rb (RubyGems.download): verify downloaded gem packages. LowSecurity to allow untrusted certificates now. Modified files: trunk/ChangeLog trunk/tool/downloader.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 49250) +++ ChangeLog (revision 49251) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Wed Jan 14 16:45:24 2015 Nobuyoshi Nakada <nobu@r...> + + * tool/downloader.rb (RubyGems.download): verify downloaded gem + packages. LowSecurity to allow untrusted certificates now. + Wed Jan 14 15:43:48 2015 Nobuyoshi Nakada <nobu@r...> * ext/readline/readline.c (readline_s_refresh_line): initialize Index: tool/downloader.rb =================================================================== --- tool/downloader.rb (revision 49250) +++ tool/downloader.rb (revision 49251) @@ -38,11 +38,29 @@ class Downloader https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L38 class RubyGems < self def self.download(name, dir = nil, ims = true, options = {}) + require 'rubygems' + require 'rubygems/package' options[:ssl_ca_cert] = Dir.glob(File.expand_path("../lib/rubygems/ssl_certs/*.pem", File.dirname(__FILE__))) if $rubygems_schema != 'https' warn "*** using http instead of https ***" end - super("#{$rubygems_schema}://rubygems.org/downloads/#{name}", name, dir, ims, options) + file = under(dir, name) + super("#{$rubygems_schema}://rubygems.org/downloads/#{name}", file, nil, ims, options) or + return false + pkg = Gem::Package.new(file) + pkg.security_policy = Gem::Security::LowSecurity + begin + pkg.verify + rescue Gem::Security::Exception => e + $stderr.puts e.message + File.unlink(file) + false + else + true + end + end + + def self.verify(pkg) end end @@ -86,7 +104,7 @@ class Downloader https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L104 # download 'http://www.unicode.org/Public/UCD/latest/ucd/UnicodeData.txt', # 'UnicodeData.txt', 'enc/unicode/data' def self.download(url, name, dir = nil, ims = true, options = {}) - file = dir ? File.join(dir, File.basename(name)) : name + file = under(dir, name) if ims.nil? and File.exist?(file) if $VERBOSE $stdout.puts "#{name} already exists" @@ -141,6 +159,10 @@ class Downloader https://github.com/ruby/ruby/blob/trunk/tool/downloader.rb#L159 rescue => e raise "failed to download #{name}\n#{e.message}: #{url}" end + + def self.under(dir, name) + dir ? File.join(dir, File.basename(name)) : name + end end if $0 == __FILE__ -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/