Blame SOURCES/rubygems-2.2.4-Limit-API-endpoint-to-original-security-domain.patch

b54141
From 6bbee35fd6daed045103f3122490a588d97c066a Mon Sep 17 00:00:00 2001
b54141
From: Evan Phoenix <evan@phx.io>
b54141
Date: Thu, 14 May 2015 14:53:35 -0700
b54141
Subject: [PATCH] Limit API endpoint to original security domain
b54141
b54141
Conflicts:
b54141
	lib/rubygems/remote_fetcher.rb
b54141
b54141
Conflicts:
b54141
	test/rubygems/test_gem_remote_fetcher.rb
b54141
---
b54141
 lib/rubygems/remote_fetcher.rb           |  8 +++++++-
b54141
 test/rubygems/test_gem_remote_fetcher.rb | 18 ++++++++++++++++--
b54141
 2 files changed, 23 insertions(+), 3 deletions(-)
b54141
b54141
diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb
b54141
index da1febb..ec78e5f 100644
b54141
--- a/lib/rubygems/remote_fetcher.rb
b54141
+++ b/lib/rubygems/remote_fetcher.rb
b54141
@@ -94,7 +94,13 @@ def api_endpoint(uri)
b54141
     rescue Resolv::ResolvError
b54141
       uri
b54141
     else
b54141
-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
b54141
+      target = res.target.to_s.strip
b54141
+
b54141
+      if /#{host}\z/ =~ target
b54141
+        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
b54141
+      end
b54141
+
b54141
+      uri
b54141
     end
b54141
   end
b54141
 
b54141
diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb
b54141
index 883e1bd..a590dca 100644
b54141
--- a/test/rubygems/test_gem_remote_fetcher.rb
b54141
+++ b/test/rubygems/test_gem_remote_fetcher.rb
b54141
@@ -167,6 +167,21 @@ def test_no_proxy
b54141
   end
b54141
 
b54141
   def test_api_endpoint
b54141
+    uri = URI.parse "http://example.com/foo"
b54141
+    target = MiniTest::Mock.new
b54141
+    target.expect :target, "gems.example.com"
b54141
+
b54141
+    dns = MiniTest::Mock.new
b54141
+    dns.expect :getresource, target, [String, Object]
b54141
+
b54141
+    fetch = Gem::RemoteFetcher.new nil, dns
b54141
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
b54141
+
b54141
+    target.verify
b54141
+    dns.verify
b54141
+  end
b54141
+
b54141
+  def test_api_endpoint_ignores_trans_domain_values
b54141
     uri = URI.parse "http://gems.example.com/foo"
b54141
     target = MiniTest::Mock.new
b54141
     target.expect :target, "blah.com"
b54141
@@ -175,8 +190,7 @@ def test_api_endpoint
b54141
     dns.expect :getresource, target, [String, Object]
b54141
 
b54141
     fetch = Gem::RemoteFetcher.new nil, dns
b54141
-    @fetcher = fetcher
b54141
-    assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
b54141
+    assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
b54141
 
b54141
     target.verify
b54141
     dns.verify