ruby-changes:48054
From: nagachika <ko1@a...>
Date: Wed, 11 Oct 2017 22:48:20 +0900 (JST)
Subject: [ruby-changes:48054] nagachika:r60168 (ruby_2_4): merge revision(s) 60149: [Backport #14003]
nagachika 2017-10-11 22:48:14 +0900 (Wed, 11 Oct 2017) New Revision: 60168 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=60168 Log: merge revision(s) 60149: [Backport #14003] Merge rubygems-2.6.14 changes. It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html Added files: branches/ruby_2_4/lib/rubygems/safe_yaml.rb Modified directories: branches/ruby_2_4/ Modified files: branches/ruby_2_4/lib/rubygems/config_file.rb branches/ruby_2_4/lib/rubygems/package/old.rb branches/ruby_2_4/lib/rubygems/package.rb branches/ruby_2_4/lib/rubygems/specification.rb branches/ruby_2_4/lib/rubygems.rb branches/ruby_2_4/version.h Index: ruby_2_4/version.h =================================================================== --- ruby_2_4/version.h (revision 60167) +++ ruby_2_4/version.h (revision 60168) @@ -1,10 +1,10 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_4/version.h#L1 #define RUBY_VERSION "2.4.3" -#define RUBY_RELEASE_DATE "2017-09-15" -#define RUBY_PATCHLEVEL 200 +#define RUBY_RELEASE_DATE "2017-10-11" +#define RUBY_PATCHLEVEL 201 #define RUBY_RELEASE_YEAR 2017 -#define RUBY_RELEASE_MONTH 9 -#define RUBY_RELEASE_DAY 15 +#define RUBY_RELEASE_MONTH 10 +#define RUBY_RELEASE_DAY 11 #include "ruby/version.h" Index: ruby_2_4/lib/rubygems.rb =================================================================== --- ruby_2_4/lib/rubygems.rb (revision 60167) +++ ruby_2_4/lib/rubygems.rb (revision 60168) @@ -10,7 +10,7 @@ require 'rbconfig' https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/rubygems.rb#L10 require 'thread' module Gem - VERSION = "2.6.13" + VERSION = "2.6.14" end # Must be first since it unloads the prelude from 1.9.2 @@ -675,7 +675,7 @@ An Array (#{env.inspect}) was passed in https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/rubygems.rb#L675 unless test_syck begin - gem 'psych', '>= 1.2.1' + gem 'psych', '>= 2.0.0' rescue Gem::LoadError # It's OK if the user does not have the psych gem installed. We will # attempt to require the stdlib version @@ -699,6 +699,7 @@ An Array (#{env.inspect}) was passed in https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/rubygems.rb#L699 end require 'yaml' + require 'rubygems/safe_yaml' # If we're supposed to be using syck, then we may have to force # activate it via the YAML::ENGINE API. Index: ruby_2_4/lib/rubygems/package/old.rb =================================================================== --- ruby_2_4/lib/rubygems/package/old.rb (revision 60167) +++ ruby_2_4/lib/rubygems/package/old.rb (revision 60168) @@ -101,7 +101,7 @@ class Gem::Package::Old < Gem::Package https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/rubygems/package/old.rb#L101 header << line end - YAML.load header + Gem::SafeYAML.safe_load header end ## Index: ruby_2_4/lib/rubygems/safe_yaml.rb =================================================================== --- ruby_2_4/lib/rubygems/safe_yaml.rb (nonexistent) +++ ruby_2_4/lib/rubygems/safe_yaml.rb (revision 60168) @@ -0,0 +1,48 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/rubygems/safe_yaml.rb#L1 +module Gem + + ### + # This module is used for safely loading YAML specs from a gem. The + # `safe_load` method defined on this module is specifically designed for + # loading Gem specifications. For loading other YAML safely, please see + # Psych.safe_load + + module SafeYAML + WHITELISTED_CLASSES = %w( + Symbol + Time + Date + Gem::Dependency + Gem::Platform + Gem::Requirement + Gem::Specification + Gem::Version + Gem::Version::Requirement + YAML::Syck::DefaultKey + Syck::DefaultKey + ) + + WHITELISTED_SYMBOLS = %w( + development + runtime + ) + + if ::YAML.respond_to? :safe_load + def self.safe_load input + ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) + end + + def self.load input + ::YAML.safe_load(input, [::Symbol]) + end + else + warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." + def self.safe_load input, *args + ::YAML.load input + end + + def self.load input + ::YAML.load input + end + end + end +end Index: ruby_2_4/lib/rubygems/specification.rb =================================================================== --- ruby_2_4/lib/rubygems/specification.rb (revision 60167) +++ ruby_2_4/lib/rubygems/specification.rb (revision 60168) @@ -1101,7 +1101,7 @@ class Gem::Specification < Gem::BasicSpe https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/rubygems/specification.rb#L1101 Gem.load_yaml input = normalize_yaml_input input - spec = YAML.load input + spec = Gem::SafeYAML.safe_load input if spec && spec.class == FalseClass then raise Gem::EndOfYAMLException Index: ruby_2_4/lib/rubygems/package.rb =================================================================== --- ruby_2_4/lib/rubygems/package.rb (revision 60167) +++ ruby_2_4/lib/rubygems/package.rb (revision 60168) @@ -468,7 +468,7 @@ EOM https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/rubygems/package.rb#L468 @checksums = gem.seek 'checksums.yaml.gz' do |entry| Zlib::GzipReader.wrap entry do |gz_io| - YAML.load gz_io.read + Gem::SafeYAML.safe_load gz_io.read end end end Index: ruby_2_4/lib/rubygems/config_file.rb =================================================================== --- ruby_2_4/lib/rubygems/config_file.rb (revision 60167) +++ ruby_2_4/lib/rubygems/config_file.rb (revision 60168) @@ -345,7 +345,7 @@ if you believe they were disclosed to a https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/rubygems/config_file.rb#L345 return {} unless filename and File.exist? filename begin - content = YAML.load(File.read(filename)) + content = Gem::SafeYAML.load(File.read(filename)) unless content.kind_of? Hash warn "Failed to load #{filename} because it doesn't contain valid YAML hash" return {} Index: ruby_2_4 =================================================================== --- ruby_2_4 (revision 60167) +++ ruby_2_4 (revision 60168) Property changes on: ruby_2_4 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /trunk:r60149 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/