* lib/rubygems: Update to RubyGems master dcce4ff. Important changes

in this commit:

  Remove automatic detection of gem dependencies files.  This prevents a
  security hole as described in [ruby-core:58490]

  Fixed bugs for installing git gems.

* test/rubygems:  ditto.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@43806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,15 @@
+Sat Nov 23 03:44:03 2013  Eric Hodel  <drbrain@segment7.net>
+
+	* lib/rubygems:  Update to RubyGems master dcce4ff.  Important changes
+	  in this commit:
+
+	  Remove automatic detection of gem dependencies files.  This prevents a
+	  security hole as described in [ruby-core:58490]
+
+	  Fixed bugs for installing git gems.
+
+	* test/rubygems:  ditto.
+
 Fri Nov 22 22:30:00 2013  Kenta Murata  <mrkn@mrkn.jp>
 
 	* ext/bigdecimal/bigdecimal.c (BigDecimal_power):

lib/rubygems.rb

@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = '2.2.0.preview.2'
+  VERSION = '2.2.0'
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -995,12 +995,16 @@ module Gem
   # Looks for gem dependency files (gem.deps.rb, Gemfile, Isolate) from the
   # current directory up and activates the gems in the first file found.
   #
-  # This is run automatically when rubygems starts.  To disable, set
+  # You can run this automatically when rubygems starts.  To enable, set
-  # the <code>RUBYGEMS_GEMDEPS=</code> environment variable to an empty
+  # the <code>RUBYGEMS_GEMDEPS</code> environment variable to either the path
-  # string.
+  # of your Gemfile or "-" to auto-discover in parent directories.
+  #
+  # NOTE: Enabling automatic discovery on multiuser systems can lead to
+  # execution of arbitrary code when used from directories outside your
+  # control.
 
   def self.use_gemdeps
-    return unless path = ENV['RUBYGEMS_GEMDEPS'] || '-'
+    return unless path = ENV['RUBYGEMS_GEMDEPS']
     path = path.dup.untaint
 
     if path == "-"

lib/rubygems/resolver/composed_set.rb

@@ -23,9 +23,9 @@ class Gem::Resolver::ComposedSet < Gem::Resolver::Set
   # Finds all specs matching +req+ in all sets.
 
   def find_all req
-    res = []
+    @sets.map do |s|
-    @sets.each { |s| res += s.find_all(req) }
+      s.find_all req
-    res
+    end.flatten
   end
 
   ##

lib/rubygems/source/git.rb

@@ -120,6 +120,12 @@ class Gem::Source::Git < Gem::Source
     rev_parse[0..11]
   end
 
+  ##
+  # Nothing to download for git gems
+
+  def download full_spec, path # :nodoc:
+  end
+
   ##
   # The directory where the git gem will be installed.
 

lib/rubygems/specification.rb

@@ -2177,7 +2177,7 @@ class Gem::Specification < Gem::BasicSpecification
   # Used by Gem::Resolver to order Gem::Specification objects
 
   def source # :nodoc:
-    self
+    Gem::Source::Installed.new
   end
 
   ##

test/rubygems/test_gem.rb

@@ -1258,6 +1258,24 @@ class TestGem < Gem::TestCase
 
     Gem.use_gemdeps
 
+    refute spec.activated?
+  ensure
+    ENV['RUBYGEMS_GEMDEPS'] = rubygems_gemdeps
+  end
+
+  def test_use_gemdeps_automatic
+    rubygems_gemdeps, ENV['RUBYGEMS_GEMDEPS'] = ENV['RUBYGEMS_GEMDEPS'], '-'
+
+    spec = util_spec 'a', 1
+
+    refute spec.activated?
+
+    open 'Gemfile', 'w' do |io|
+      io.write 'gem "a"'
+    end
+
+    Gem.use_gemdeps
+
     assert spec.activated?
   ensure
     ENV['RUBYGEMS_GEMDEPS'] = rubygems_gemdeps

test/rubygems/test_gem_source_git.rb

@@ -51,6 +51,10 @@ class TestGemSourceGit < Gem::TestCase
     assert_equal @head[0..11], @source.dir_shortref
   end
 
+  def test_download
+    refute @source.download nil, nil
+  end
+
   def test_equals2
     assert_equal @source, @source
 

test/rubygems/test_gem_specification.rb

@@ -1738,6 +1738,10 @@ dependencies: []
     RbConfig::CONFIG['ENABLE_SHARED'] = enable_shared
   end
 
+  def test_source
+    assert_kind_of Gem::Source::Installed, @a1.source
+  end
+
   def test_full_require_paths
     ext_spec