ruby-changes:48035

hsbt	2017-10-10 17:58:22 +0900 (Tue, 10 Oct 2017)

  New Revision: 60149

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=60149

  Log:
    Merge rubygems-2.6.14 changes.
    
      It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

  Added files:
    trunk/lib/rubygems/safe_yaml.rb
  Modified files:
    trunk/lib/rubygems/config_file.rb
    trunk/lib/rubygems/package/old.rb
    trunk/lib/rubygems/package.rb
    trunk/lib/rubygems/specification.rb
    trunk/lib/rubygems.rb
Index: lib/rubygems.rb
===================================================================
--- lib/rubygems.rb	(revision 60148)
+++ lib/rubygems.rb	(revision 60149)
@@ -10,7 +10,7 @@ require 'rbconfig' https://github.com/ruby/ruby/blob/trunk/lib/rubygems.rb#L10
 require 'thread'
 
 module Gem
-  VERSION = "2.6.13"
+  VERSION = "2.6.14"
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -690,7 +690,7 @@ An Array (#{env.inspect}) was passed in https://github.com/ruby/ruby/blob/trunk/lib/rubygems.rb#L690
 
     unless test_syck
       begin
-        gem 'psych', '>= 1.2.1'
+        gem 'psych', '>= 2.0.0'
       rescue Gem::LoadError
         # It's OK if the user does not have the psych gem installed.  We will
         # attempt to require the stdlib version
@@ -714,6 +714,7 @@ An Array (#{env.inspect}) was passed in https://github.com/ruby/ruby/blob/trunk/lib/rubygems.rb#L714
     end
 
     require 'yaml'
+    require 'rubygems/safe_yaml'
 
     # If we're supposed to be using syck, then we may have to force
     # activate it via the YAML::ENGINE API.
Index: lib/rubygems/safe_yaml.rb
===================================================================
--- lib/rubygems/safe_yaml.rb	(nonexistent)
+++ lib/rubygems/safe_yaml.rb	(revision 60149)
@@ -0,0 +1,48 @@ https://github.com/ruby/ruby/blob/trunk/lib/rubygems/safe_yaml.rb#L1
+module Gem
+
+  ###
+  # This module is used for safely loading YAML specs from a gem.  The
+  # `safe_load` method defined on this module is specifically designed for
+  # loading Gem specifications.  For loading other YAML safely, please see
+  # Psych.safe_load
+
+  module SafeYAML
+    WHITELISTED_CLASSES = %w(
+      Symbol
+      Time
+      Date
+      Gem::Dependency
+      Gem::Platform
+      Gem::Requirement
+      Gem::Specification
+      Gem::Version
+      Gem::Version::Requirement
+      YAML::Syck::DefaultKey
+      Syck::DefaultKey
+    )
+
+    WHITELISTED_SYMBOLS = %w(
+      development
+      runtime
+    )
+
+    if ::YAML.respond_to? :safe_load
+      def self.safe_load input
+        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
+      end
+
+      def self.load input
+        ::YAML.safe_load(input, [::Symbol])
+      end
+    else
+      warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
+      def self.safe_load input, *args
+        ::YAML.load input
+      end
+
+      def self.load input
+        ::YAML.load input
+      end
+    end
+  end
+end
Index: lib/rubygems/config_file.rb
===================================================================
--- lib/rubygems/config_file.rb	(revision 60148)
+++ lib/rubygems/config_file.rb	(revision 60149)
@@ -354,7 +354,7 @@ if you believe they were disclosed to a https://github.com/ruby/ruby/blob/trunk/lib/rubygems/config_file.rb#L354
     return {} unless filename and File.exist? filename
 
     begin
-      content = YAML.load(File.read(filename))
+      content = Gem::SafeYAML.load(File.read(filename))
       unless content.kind_of? Hash
         warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
         return {}
Index: lib/rubygems/specification.rb
===================================================================
--- lib/rubygems/specification.rb	(revision 60148)
+++ lib/rubygems/specification.rb	(revision 60149)
@@ -1128,7 +1128,7 @@ class Gem::Specification < Gem::BasicSpe https://github.com/ruby/ruby/blob/trunk/lib/rubygems/specification.rb#L1128
     Gem.load_yaml
 
     input = normalize_yaml_input input
-    spec = YAML.load input
+    spec = Gem::SafeYAML.safe_load input
 
     if spec && spec.class == FalseClass then
       raise Gem::EndOfYAMLException
Index: lib/rubygems/package/old.rb
===================================================================
--- lib/rubygems/package/old.rb	(revision 60148)
+++ lib/rubygems/package/old.rb	(revision 60149)
@@ -101,7 +101,7 @@ class Gem::Package::Old < Gem::Package https://github.com/ruby/ruby/blob/trunk/lib/rubygems/package/old.rb#L101
       header << line
     end
 
-    YAML.load header
+    Gem::SafeYAML.safe_load header
   end
 
   ##
Index: lib/rubygems/package.rb
===================================================================
--- lib/rubygems/package.rb	(revision 60148)
+++ lib/rubygems/package.rb	(revision 60149)
@@ -468,7 +468,7 @@ EOM https://github.com/ruby/ruby/blob/trunk/lib/rubygems/package.rb#L468
 
     @checksums = gem.seek 'checksums.yaml.gz' do |entry|
       Zlib::GzipReader.wrap entry do |gz_io|
-        YAML.load gz_io.read
+        Gem::SafeYAML.safe_load gz_io.read
       end
     end
   end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/