ruby-changes:49128
From: usa <ko1@a...>
Date: Thu, 14 Dec 2017 22:50:18 +0900 (JST)
Subject: [ruby-changes:49128] usa:r61244 (ruby_2_2): merge revision(s) 60149: [Backport #14003]
usa 2017-12-14 22:50:12 +0900 (Thu, 14 Dec 2017) New Revision: 61244 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=61244 Log: merge revision(s) 60149: [Backport #14003] Merge rubygems-2.6.14 changes. It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html Added files: branches/ruby_2_2/lib/rubygems/safe_yaml.rb Modified directories: branches/ruby_2_2/ Modified files: branches/ruby_2_2/ChangeLog branches/ruby_2_2/lib/rubygems/config_file.rb branches/ruby_2_2/lib/rubygems/package/old.rb branches/ruby_2_2/lib/rubygems/package.rb branches/ruby_2_2/lib/rubygems/specification.rb branches/ruby_2_2/lib/rubygems.rb branches/ruby_2_2/version.h Index: ruby_2_2/ChangeLog =================================================================== --- ruby_2_2/ChangeLog (revision 61243) +++ ruby_2_2/ChangeLog (revision 61244) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1 +Thu Dec 14 22:49:08 2017 SHIBATA Hiroshi <hsbt@r...> + + Merge rubygems-2.6.14 changes. + + It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html + Thu Sep 14 20:44:26 2017 SHIBATA Hiroshi <hsbt@r...> * ext/json: bump to version 1.8.1.1. [Backport #13853] Index: ruby_2_2/version.h =================================================================== --- ruby_2_2/version.h (revision 61243) +++ ruby_2_2/version.h (revision 61244) @@ -1,9 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1 -#define RUBY_VERSION "2.2.8" -#define RUBY_RELEASE_DATE "2017-09-14" -#define RUBY_PATCHLEVEL 477 +#define RUBY_VERSION "2.2.9" +#define RUBY_RELEASE_DATE "2017-12-14" +#define RUBY_PATCHLEVEL 478 #define RUBY_RELEASE_YEAR 2017 -#define RUBY_RELEASE_MONTH 9 +#define RUBY_RELEASE_MONTH 12 #define RUBY_RELEASE_DAY 14 #include "ruby/version.h" Index: ruby_2_2/lib/rubygems/package/old.rb =================================================================== --- ruby_2_2/lib/rubygems/package/old.rb (revision 61243) +++ ruby_2_2/lib/rubygems/package/old.rb (revision 61244) @@ -100,7 +100,7 @@ class Gem::Package::Old < Gem::Package https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/rubygems/package/old.rb#L100 header << line end - YAML.load header + Gem::SafeYAML.safe_load header end ## Index: ruby_2_2/lib/rubygems/package.rb =================================================================== --- ruby_2_2/lib/rubygems/package.rb (revision 61243) +++ ruby_2_2/lib/rubygems/package.rb (revision 61244) @@ -452,7 +452,7 @@ EOM https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/rubygems/package.rb#L452 @checksums = gem.seek 'checksums.yaml.gz' do |entry| Zlib::GzipReader.wrap entry do |gz_io| - YAML.load gz_io.read + Gem::SafeYAML.safe_load gz_io.read end end end Index: ruby_2_2/lib/rubygems/safe_yaml.rb =================================================================== --- ruby_2_2/lib/rubygems/safe_yaml.rb (nonexistent) +++ ruby_2_2/lib/rubygems/safe_yaml.rb (revision 61244) @@ -0,0 +1,48 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/rubygems/safe_yaml.rb#L1 +module Gem + + ### + # This module is used for safely loading YAML specs from a gem. The + # `safe_load` method defined on this module is specifically designed for + # loading Gem specifications. For loading other YAML safely, please see + # Psych.safe_load + + module SafeYAML + WHITELISTED_CLASSES = %w( + Symbol + Time + Date + Gem::Dependency + Gem::Platform + Gem::Requirement + Gem::Specification + Gem::Version + Gem::Version::Requirement + YAML::Syck::DefaultKey + Syck::DefaultKey + ) + + WHITELISTED_SYMBOLS = %w( + development + runtime + ) + + if ::YAML.respond_to? :safe_load + def self.safe_load input + ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) + end + + def self.load input + ::YAML.safe_load(input, [::Symbol]) + end + else + warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." + def self.safe_load input, *args + ::YAML.load input + end + + def self.load input + ::YAML.load input + end + end + end +end Index: ruby_2_2/lib/rubygems/config_file.rb =================================================================== --- ruby_2_2/lib/rubygems/config_file.rb (revision 61243) +++ ruby_2_2/lib/rubygems/config_file.rb (revision 61244) @@ -330,7 +330,7 @@ if you believe they were disclosed to a https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/rubygems/config_file.rb#L330 return {} unless filename and File.exist? filename begin - content = YAML.load(File.read(filename)) + content = Gem::SafeYAML.load(File.read(filename)) unless content.kind_of? Hash warn "Failed to load #{filename} because it doesn't contain valid YAML hash" return {} Index: ruby_2_2/lib/rubygems/specification.rb =================================================================== --- ruby_2_2/lib/rubygems/specification.rb (revision 61243) +++ ruby_2_2/lib/rubygems/specification.rb (revision 61244) @@ -985,7 +985,7 @@ class Gem::Specification < Gem::BasicSpe https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/rubygems/specification.rb#L985 Gem.load_yaml input = normalize_yaml_input input - spec = YAML.load input + spec = Gem::SafeYAML.safe_load input if spec && spec.class == FalseClass then raise Gem::EndOfYAMLException Index: ruby_2_2/lib/rubygems.rb =================================================================== --- ruby_2_2/lib/rubygems.rb (revision 61243) +++ ruby_2_2/lib/rubygems.rb (revision 61244) @@ -9,7 +9,7 @@ require 'rbconfig' https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/rubygems.rb#L9 require 'thread' module Gem - VERSION = '2.4.5.3' + VERSION = '2.4.5.4' end # Must be first since it unloads the prelude from 1.9.2 @@ -598,7 +598,7 @@ module Gem https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/rubygems.rb#L598 unless test_syck begin - gem 'psych', '~> 1.2', '>= 1.2.1' + gem 'psych', '~> 2.0.0' rescue Gem::LoadError # It's OK if the user does not have the psych gem installed. We will # attempt to require the stdlib version @@ -622,6 +622,7 @@ module Gem https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/rubygems.rb#L622 end require 'yaml' + require 'rubygems/safe_yaml' # If we're supposed to be using syck, then we may have to force # activate it via the YAML::ENGINE API. Index: ruby_2_2 =================================================================== --- ruby_2_2 (revision 61243) +++ ruby_2_2 (revision 61244) Property changes on: ruby_2_2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /trunk:r60149 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/