|
 |
b8524a |
From 1281e56682692859e726e24fff30e44aac6f948b Mon Sep 17 00:00:00 2001
|
|
|
b8524a |
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
|
|
b8524a |
Date: Wed, 11 Oct 2017 13:48:14 +0000
|
|
|
b8524a |
Subject: [PATCH] merge revision(s) 60149: [Backport #14003]
|
|
|
b8524a |
|
|
|
b8524a |
Merge rubygems-2.6.14 changes.
|
|
|
b8524a |
|
|
|
b8524a |
It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
|
|
|
b8524a |
|
|
|
b8524a |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
b8524a |
---
|
|
|
b8524a |
lib/rubygems.rb | 5 +++--
|
|
|
b8524a |
lib/rubygems/config_file.rb | 2 +-
|
|
|
b8524a |
lib/rubygems/package.rb | 2 +-
|
|
|
b8524a |
lib/rubygems/package/old.rb | 2 +-
|
|
|
b8524a |
lib/rubygems/safe_yaml.rb | 48 +++++++++++++++++++++++++++++++++++++++++++
|
|
|
b8524a |
lib/rubygems/specification.rb | 2 +-
|
|
|
b8524a |
6 files changed, 55 insertions(+), 6 deletions(-)
|
|
|
b8524a |
create mode 100644 lib/rubygems/safe_yaml.rb
|
|
|
b8524a |
|
|
|
b8524a |
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
|
|
|
b8524a |
index 55aa85b8b2bd..0685bcb3c629 100644
|
|
|
b8524a |
--- a/lib/rubygems.rb
|
|
|
b8524a |
+++ b/lib/rubygems.rb
|
|
|
b8524a |
@@ -574,7 +574,7 @@ def self.load_yaml
|
|
|
b8524a |
|
|
|
b8524a |
unless test_syck
|
|
|
b8524a |
begin
|
|
|
b8524a |
- gem 'psych', '~> 1.2', '>= 1.2.1'
|
|
|
b8524a |
+ gem 'psych', '>= 2.0.0'
|
|
|
b8524a |
rescue Gem::LoadError
|
|
|
b8524a |
# It's OK if the user does not have the psych gem installed. We will
|
|
|
b8524a |
# attempt to require the stdlib version
|
|
|
b8524a |
@@ -598,6 +598,7 @@ def self.load_yaml
|
|
|
b8524a |
end
|
|
|
b8524a |
|
|
|
b8524a |
require 'yaml'
|
|
|
b8524a |
+ require 'rubygems/safe_yaml'
|
|
|
b8524a |
|
|
|
b8524a |
# If we're supposed to be using syck, then we may have to force
|
|
|
b8524a |
# activate it via the YAML::ENGINE API.
|
|
|
b8524a |
diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
|
|
|
b8524a |
index c95d7dd1f14e..63583b361615 100644
|
|
|
b8524a |
--- a/lib/rubygems/config_file.rb
|
|
|
b8524a |
+++ b/lib/rubygems/config_file.rb
|
|
|
b8524a |
@@ -316,7 +316,7 @@ def load_file(filename)
|
|
|
b8524a |
return {} unless filename and File.exist? filename
|
|
|
b8524a |
|
|
|
b8524a |
begin
|
|
|
b8524a |
- content = YAML.load(File.read(filename))
|
|
|
b8524a |
+ content = Gem::SafeYAML.load(File.read(filename))
|
|
|
b8524a |
unless content.kind_of? Hash
|
|
|
b8524a |
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
|
|
|
b8524a |
return {}
|
|
|
b8524a |
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
|
|
|
b8524a |
index c36e71d800a2..77811ed5ecaa 100644
|
|
|
b8524a |
--- a/lib/rubygems/package.rb
|
|
|
b8524a |
+++ b/lib/rubygems/package.rb
|
|
|
b8524a |
@@ -418,7 +418,7 @@ def read_checksums gem
|
|
|
b8524a |
|
|
|
b8524a |
@checksums = gem.seek 'checksums.yaml.gz' do |entry|
|
|
|
b8524a |
Zlib::GzipReader.wrap entry do |gz_io|
|
|
|
b8524a |
- YAML.load gz_io.read
|
|
|
b8524a |
+ Gem::SafeYAML.safe_load gz_io.read
|
|
|
b8524a |
end
|
|
|
b8524a |
end
|
|
|
b8524a |
end
|
|
|
b8524a |
diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb
|
|
|
b8524a |
index 5e722baa3540..071f7141ab78 100644
|
|
|
b8524a |
--- a/lib/rubygems/package/old.rb
|
|
|
b8524a |
+++ b/lib/rubygems/package/old.rb
|
|
|
b8524a |
@@ -100,7 +100,7 @@ def file_list io # :nodoc:
|
|
|
b8524a |
header << line
|
|
|
b8524a |
end
|
|
|
b8524a |
|
|
|
b8524a |
- YAML.load header
|
|
|
b8524a |
+ Gem::SafeYAML.safe_load header
|
|
|
b8524a |
end
|
|
|
b8524a |
|
|
|
b8524a |
##
|
|
|
b8524a |
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
|
|
|
b8524a |
new file mode 100644
|
|
|
b8524a |
index 000000000000..b98cfaa5e60d
|
|
|
b8524a |
--- /dev/null
|
|
|
b8524a |
+++ b/lib/rubygems/safe_yaml.rb
|
|
|
b8524a |
@@ -0,0 +1,48 @@
|
|
|
b8524a |
+module Gem
|
|
|
b8524a |
+
|
|
|
b8524a |
+ ###
|
|
|
b8524a |
+ # This module is used for safely loading YAML specs from a gem. The
|
|
|
b8524a |
+ # `safe_load` method defined on this module is specifically designed for
|
|
|
b8524a |
+ # loading Gem specifications. For loading other YAML safely, please see
|
|
|
b8524a |
+ # Psych.safe_load
|
|
|
b8524a |
+
|
|
|
b8524a |
+ module SafeYAML
|
|
|
b8524a |
+ WHITELISTED_CLASSES = %w(
|
|
|
b8524a |
+ Symbol
|
|
|
b8524a |
+ Time
|
|
|
b8524a |
+ Date
|
|
|
b8524a |
+ Gem::Dependency
|
|
|
b8524a |
+ Gem::Platform
|
|
|
b8524a |
+ Gem::Requirement
|
|
|
b8524a |
+ Gem::Specification
|
|
|
b8524a |
+ Gem::Version
|
|
|
b8524a |
+ Gem::Version::Requirement
|
|
|
b8524a |
+ YAML::Syck::DefaultKey
|
|
|
b8524a |
+ Syck::DefaultKey
|
|
|
b8524a |
+ )
|
|
|
b8524a |
+
|
|
|
b8524a |
+ WHITELISTED_SYMBOLS = %w(
|
|
|
b8524a |
+ development
|
|
|
b8524a |
+ runtime
|
|
|
b8524a |
+ )
|
|
|
b8524a |
+
|
|
|
b8524a |
+ if ::YAML.respond_to? :safe_load
|
|
|
b8524a |
+ def self.safe_load input
|
|
|
b8524a |
+ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
|
|
|
b8524a |
+ end
|
|
|
b8524a |
+
|
|
|
b8524a |
+ def self.load input
|
|
|
b8524a |
+ ::YAML.safe_load(input, [::Symbol])
|
|
|
b8524a |
+ end
|
|
|
b8524a |
+ else
|
|
|
b8524a |
+ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
|
|
|
b8524a |
+ def self.safe_load input, *args
|
|
|
b8524a |
+ ::YAML.load input
|
|
|
b8524a |
+ end
|
|
|
b8524a |
+
|
|
|
b8524a |
+ def self.load input
|
|
|
b8524a |
+ ::YAML.load input
|
|
|
b8524a |
+ end
|
|
|
b8524a |
+ end
|
|
|
b8524a |
+ end
|
|
|
b8524a |
+end
|
|
|
b8524a |
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
|
|
|
b8524a |
index 88e320c05ac9..40e3a70d476c 100644
|
|
|
b8524a |
--- a/lib/rubygems/specification.rb
|
|
|
b8524a |
+++ b/lib/rubygems/specification.rb
|
|
|
b8524a |
@@ -910,7 +910,7 @@ def self.from_yaml(input)
|
|
|
b8524a |
Gem.load_yaml
|
|
|
b8524a |
|
|
|
b8524a |
input = normalize_yaml_input input
|
|
|
b8524a |
- spec = YAML.load input
|
|
|
b8524a |
+ spec = Gem::SafeYAML.safe_load input
|
|
|
b8524a |
|
|
|
b8524a |
if spec && spec.class == FalseClass then
|
|
|
b8524a |
raise Gem::EndOfYAMLException
|