rpms / ruby

Clone
Source Code
GIT

Blame SOURCES/ruby-2.3.8-rubygems-2.7.6-fix-unsafe-object-deserialization.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-2.5 c8-beta-stream-2.6 c8-beta-stream-2.7 c8-beta-stream-3.0 c8-beta-stream-3.1 c8-stream-2.5 c8-stream-2.6 c8-stream-2.7 c8-stream-3.0 c8-stream-3.1 c8s-stream-2.5 c8s-stream-2.6 c8s-stream-2.7 c8s-stream-3.0 c8s-stream-3.1 c9 c9-beta c9-beta-stream-3.1 c9-stream-3.1
  1.   c7-beta
  2.   SOURCES
  3.   ruby-2.3.8-rubygems-2.7.6-fix-unsafe-object-deserialization.patch
Blob History Raw
121925 
From dcd09da317d9710c61000dbda5df2c9a6d59b1fb Mon Sep 17 00:00:00 2001
121925 
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
121925 
Date: Fri, 16 Feb 2018 16:21:44 +0000
121925 
Subject: [PATCH] Fix Unsafe Object Deserialization Vulnerability in gem owner.
121925
121925 
merge revision(s) 58471,58493,62436: [Backport #13505]
121925
121925 
	load.c: backtrace of circular require
121925
121925 
	* load.c (load_lock): print backtrace of circular require via
121925 
	  `Warning.warn` [ruby-core:80850] [Bug #13505]
121925
121925 
	  Send the backtrace of the circular require warning as a single String to Warning.warn
121925
121925 
	* load.c: send as a single string.
121925 
	* error.c: expose the string formatted by rb_warning as rb_warning_string().
121925 
	* test/ruby/test_exception.rb: update tests.
121925 
	  [ruby-core:80850] [Bug #13505]
121925
121925 
	fix regexp literal warning.
121925
121925 
	* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
121925 
	  [Bug #14481]
121925
121925 
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62439 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
121925 
---
121925 
 lib/rubygems/commands/owner_command.rb        |  2 +-
121925 
 .../test_gem_commands_owner_command.rb        | 24 +++++++++++++++++++
121925 
 2 files changed, 25 insertions(+), 1 deletion(-)
121925
121925 
diff --git a/lib/rubygems/commands/owner_command.rb b/lib/rubygems/commands/owner_command.rb
121925 
index 11e6e026fd..df64f41e59 100644
121925 
--- a/lib/rubygems/commands/owner_command.rb
121925 
+++ b/lib/rubygems/commands/owner_command.rb
121925 
@@ -48,7 +48,7 @@ class Gem::Commands::OwnerCommand < Gem::Command
121925 
     end
121925
121925 
     with_response response do |resp|
121925 
-      owners = YAML.load resp.body
121925 
+      owners = Gem::SafeYAML.load resp.body
121925
121925 
       say "Owners for gem: #{name}"
121925 
       owners.each do |owner|
121925 
diff --git a/test/rubygems/test_gem_commands_owner_command.rb b/test/rubygems/test_gem_commands_owner_command.rb
121925 
index dfbc2572dc..22272d4a22 100644
121925 
--- a/test/rubygems/test_gem_commands_owner_command.rb
121925 
+++ b/test/rubygems/test_gem_commands_owner_command.rb
121925 
@@ -34,6 +34,30 @@ EOF
121925 
     assert_match %r{- user2@example.com}, @ui.output
121925 
   end
121925
121925 
+  def test_show_owners_dont_load_objects
121925 
+    skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
121925 
+
121925 
+    response = <
121925 
+---
121925 
+- email: !ruby/object:Object {}
121925 
+  id: 1
121925 
+  handle: user1
121925 
+- email: user2@example.com
121925 
+- id: 3
121925 
+  handle: user3
121925 
+- id: 4
121925 
+EOF
121925 
+
121925 
+    @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
121925 
+
121925 
+    assert_raises Psych::DisallowedClass do
121925 
+      use_ui @ui do
121925 
+        @cmd.show_owners("freewill")
121925 
+      end
121925 
+    end
121925 
+
121925 
+  end
121925 
+
121925 
   def test_show_owners_denied
121925 
     response = "You don't have permission to push to this gem"
121925 
     @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 403, 'Forbidden']
121925 
--
121925 
2.17.1
121925

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation