merge revision(s) a7f5d6ab88 c9ab8fe2 [Backport#17877]

a fix of RDoc for CVE-2021-31799

lib/rdoc/rdoc.rb

@@ -430,7 +430,7 @@ The internal error was:
     files.reject do |file|
       file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
         (file =~ /tags$/i and
-         open(file, 'rb') { |io|
+         File.open(file, 'rb') { |io|
            io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
          })
     end

test/rdoc/test_rdoc_rdoc.rb

@@ -426,6 +426,19 @@ class TestRDocRDoc < RDoc::TestCase
     end
   end
 
+  def test_remove_unparseable_CVE_2021_31799
+    omit 'for Un*x platforms' if Gem.win_platform?
+    temp_dir do
+      file_list = ['| touch evil.txt && echo tags']
+      file_list.each do |f|
+        FileUtils.touch f
+      end
+
+      assert_equal file_list, @rdoc.remove_unparseable(file_list)
+      assert_equal file_list, Dir.children('.')
+    end
+  end
+
   def test_setup_output_dir
     Dir.mktmpdir {|d|
       path = File.join d, 'testdir'

version.h

@@ -2,7 +2,7 @@
 # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR
 #define RUBY_VERSION_TEENY 4
 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
-#define RUBY_PATCHLEVEL 187
+#define RUBY_PATCHLEVEL 188
 
 #define RUBY_RELEASE_YEAR 2021
 #define RUBY_RELEASE_MONTH 5