* lib/rubygems: Update to RubyGems 1.8.10. Fixes security issue in

creating ruby-format gemspecs. Fixes Gem.dir not being at the front of Gem.path to fix uninstall and cleanup commands. Fixes gem uninstall stopping on the first missing gem. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33074 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2011-08-26 01:10:50 +00:00 · 2011-08-26 01:10:50 +00:00 · e93d882d96
commit e93d882d96
parent 4544b3824c
12 changed files with 205 additions and 76 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+Fri Aug 26 10:10:37 2011  Eric Hodel  <drbrain@segment7.net>
+
+	* lib/rubygems:  Update to RubyGems 1.8.10.  Fixes security issue in
+	  creating ruby-format gemspecs.  Fixes Gem.dir not being at the front
+	  of Gem.path to fix uninstall and cleanup commands.  Fixes gem
+	  uninstall stopping on the first missing gem.
+
 Fri Aug 26 08:21:10 2011  Aaron Patterson <aaron@tenderlovemaking.com>

 	* time.c (strftimev): Make Time#to_s default to US-ASCII encoding but
--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
@ -118,7 +118,7 @@ require "rubygems/deprecate"
 # -The RubyGems Team

 module Gem
-  VERSION = '1.8.9'
+  VERSION = '1.8.10'

  ##
  # Raised when RubyGems is unable to load or activate a gem.  Contains the
@ -644,7 +644,15 @@ module Gem

  def self.load_yaml
    begin
-      require 'psych'
+      gem 'psych', '~> 1.2', '>= 1.2.1' unless ENV['TEST_SYCK']
+    rescue Gem::LoadError
+      # It's OK if the user does not have the psych gem installed.  We will
+      # attempt to require the stdlib version
+    end
+
+    begin
+      # Try requiring the gem version *or* stdlib version of psych.
+      require 'psych' unless ENV['TEST_SYCK']
    rescue ::LoadError
    ensure
      require 'yaml'
--- a/lib/rubygems/commands/uninstall_command.rb
+++ b/lib/rubygems/commands/uninstall_command.rb
@ -78,6 +78,8 @@ class Gem::Commands::UninstallCommand < Gem::Command
    get_all_gem_names.each do |gem_name|
      begin
        Gem::Uninstaller.new(gem_name, options).uninstall
+      rescue Gem::InstallError => e
+        alert e.message
      rescue Gem::GemNotInHomeException => e
        spec = e.spec
        alert("In order to remove #{spec.name}, please execute:\n" \
--- a/lib/rubygems/path_support.rb
+++ b/lib/rubygems/path_support.rb
@ -1,5 +1,4 @@
 ##
-#
 # Gem::PathSupport facilitates the GEM_HOME and GEM_PATH environment settings
 # to the rest of RubyGems.
 #
@ -43,18 +42,16 @@ class Gem::PathSupport
  # Set the Gem search path (as reported by Gem.path).

  def path=(gpaths)
-    # FIX: it should be [home, *path], not [*path, home]
-
-    gem_path = []
+    gem_path = [@home]

    # FIX: I can't tell wtf this is doing.
    gpaths ||= (ENV['GEM_PATH'] || "").empty? ? nil : ENV["GEM_PATH"]

-    if gpaths
-      if gpaths.kind_of?(Array)
-        gem_path = gpaths.dup
+    if gpaths then
+      if gpaths.kind_of?(Array) then
+        gem_path.push(*gpaths)
      else
-        gem_path = gpaths.split(File::PATH_SEPARATOR)
+        gem_path.push(*gpaths.split(File::PATH_SEPARATOR))
      end

      if File::ALT_SEPARATOR then
@ -62,14 +59,10 @@ class Gem::PathSupport
          this_path.gsub File::ALT_SEPARATOR, File::SEPARATOR
        end
      end
-
-      gem_path << @home
    else
-      gem_path = Gem.default_path + [@home]
+      gem_path.push(*Gem.default_path)

-      if defined?(APPLE_GEM_HOME)
-        gem_path << APPLE_GEM_HOME
-      end
+      gem_path << APPLE_GEM_HOME if defined?(APPLE_GEM_HOME)
    end

    @path = gem_path.uniq
--- a/lib/rubygems/requirement.rb
+++ b/lib/rubygems/requirement.rb
@ -16,6 +16,9 @@ module YAML
  if !defined? Syck
    module Syck
      class DefaultKey
+        def to_s
+          '='
+        end
      end
    end
  end
--- a/lib/rubygems/specification.rb
+++ b/lib/rubygems/specification.rb
@ -1459,7 +1459,7 @@ class Gem::Specification
    # TODO: do we need these?? Kill it
    glob = File.join(self.lib_dirs_glob, glob)

-    Dir[glob].map { |f| f.untaint } # FIX our tests are brokey, run w/ SAFE=1
+    Dir[glob].map { |f| f.untaint } # FIX our tests are broken, run w/ SAFE=1
  end

  ##
@ -1690,11 +1690,11 @@ class Gem::Specification

  def ruby_code(obj)
    case obj
-    when String            then '%q{' + obj + '}'
+    when String            then obj.dump
    when Array             then '[' + obj.map { |x| ruby_code x }.join(", ") + ']'
-    when Gem::Version      then obj.to_s.inspect
-    when Date              then '%q{' + obj.strftime('%Y-%m-%d') + '}'
-    when Time              then '%q{' + obj.strftime('%Y-%m-%d') + '}'
+    when Gem::Version      then obj.to_s.dump
+    when Date              then obj.strftime('%Y-%m-%d').dump
+    when Time              then obj.strftime('%Y-%m-%d').dump
    when Numeric           then obj.inspect
    when true, false, nil  then obj.inspect
    when Gem::Platform     then "Gem::Platform.new(#{obj.to_a.inspect})"
--- a/test/rubygems/test_gem.rb
+++ b/test/rubygems/test_gem.rb
@ -733,7 +733,7 @@ class TestGem < Gem::TestCase

    Gem.instance_variable_set :@paths, nil

-    assert_equal [Gem.default_path, Gem.dir].flatten.uniq, Gem.path
+    assert_equal [Gem.dir, *Gem.default_path].uniq, Gem.path
  ensure
    Object.const_set :APPLE_GEM_HOME, orig_APPLE_GEM_HOME if orig_APPLE_GEM_HOME
  end
@ -772,11 +772,10 @@ class TestGem < Gem::TestCase

    ENV['GEM_PATH'] = @additional.join(File::PATH_SEPARATOR)

-    assert_equal @additional, Gem.path[0,2]
+    assert_equal [Gem.dir, *@additional], Gem.path

    assert_equal path_count + @additional.size, Gem.path.size,
                 "extra path components: #{Gem.path[2..-1].inspect}"
-    assert_equal Gem.dir, Gem.path.last
  end

  def test_self_path_duplicate
@ -789,8 +788,7 @@ class TestGem < Gem::TestCase

    assert_equal @gemhome, Gem.dir

-    paths = [Gem.dir]
-    assert_equal @additional + paths, Gem.path
+    assert_equal [Gem.dir, *@additional], Gem.path
  end

  def test_self_path_overlap
@ -802,8 +800,7 @@ class TestGem < Gem::TestCase

    assert_equal @gemhome, Gem.dir

-    paths = [Gem.dir]
-    assert_equal @additional + paths, Gem.path
+    assert_equal [Gem.dir, *@additional], Gem.path
  end

  def test_self_platforms
@ -923,7 +920,7 @@ class TestGem < Gem::TestCase
    ENV["GEM_HOME"] = @gemhome
    Gem.paths = { "GEM_PATH" => path }

-    assert_equal [@userhome, other, @gemhome], Gem.path
+    assert_equal [@gemhome, @userhome, other], Gem.path
  end

  def test_self_paths_eq_nonexistent_home
@ -936,7 +933,7 @@ class TestGem < Gem::TestCase

    Gem.paths = { "GEM_PATH" => other }

-    assert_equal [other, @gemhome], Gem.path
+    assert_equal [@gemhome, other], Gem.path
  end

  def test_self_source_index
@ -983,7 +980,7 @@ class TestGem < Gem::TestCase
    Gem.use_paths @gemhome, @additional

    assert_equal @gemhome, Gem.dir
-    assert_equal @additional + [Gem.dir], Gem.path
+    assert_equal [Gem.dir, *@additional], Gem.path
  end

  def test_self_user_dir
--- a/test/rubygems/test_gem_commands_specification_command.rb
+++ b/test/rubygems/test_gem_commands_specification_command.rb
@ -135,7 +135,7 @@ class TestGemCommandsSpecificationCommand < Gem::TestCase
    end

    assert_match %r|Gem::Specification.new|, @ui.output
-    assert_match %r|s.name = %q\{foo\}|, @ui.output
+    assert_match %r|s.name = "foo"|, @ui.output
    assert_equal '', @ui.error
  end

--- a/test/rubygems/test_gem_commands_uninstall_command.rb
+++ b/test/rubygems/test_gem_commands_uninstall_command.rb
@ -45,6 +45,19 @@ class TestGemCommandsUninstallCommand < Gem::InstallerTestCase
    assert_includes output, "Successfully uninstalled #{@other.full_name}"
  end

+  def test_execute_mulitple_nonexistent
+    @cmd.options[:args] = %w[x y]
+
+    use_ui @ui do
+      @cmd.execute
+    end
+
+    output = @ui.output.split "\n"
+
+    assert_includes output, 'INFO:  gem "x" is not installed'
+    assert_includes output, 'INFO:  gem "y" is not installed'
+  end
+
  def test_execute_removes_executable
    ui = Gem::MockGemUi.new
    util_setup_gem ui
--- a/test/rubygems/test_gem_gem_runner.rb
+++ b/test/rubygems/test_gem_gem_runner.rb
@ -25,7 +25,7 @@ class TestGemGemRunner < Gem::TestCase
    gr = Gem::GemRunner.new
    gr.send :do_configuration, %W[--config-file #{temp_conf}]

-    assert_equal [other_gem_path, other_gem_home], Gem.path
+    assert_equal [other_gem_home, other_gem_path], Gem.path
    assert_equal %w[--commands], Gem::Command.extra_args
    assert_equal %w[--all], Gem::DocManager.configured_args
  end
--- a/test/rubygems/test_gem_path_support.rb
+++ b/test/rubygems/test_gem_path_support.rb
@ -22,10 +22,10 @@ class TestGemPathSupport < Gem::TestCase
  def test_initialize_home
    ps = Gem::PathSupport.new "GEM_HOME" => "#{@tempdir}/foo"

-    assert_equal File.join(@tempdir, "foo"), ps.home
+    expected = File.join(@tempdir, "foo")
+    assert_equal expected, ps.home

-    expected = util_path + [File.join(@tempdir, 'foo')]
-    assert_equal expected, ps.path
+    assert_equal [expected, *util_path], ps.path
  end

  if defined?(File::ALT_SEPARATOR) and File::ALT_SEPARATOR
@ -43,9 +43,9 @@ class TestGemPathSupport < Gem::TestCase
    assert_equal ENV["GEM_HOME"], ps.home

    expected = [
+                ENV["GEM_HOME"],
                File.join(@tempdir, 'foo'),
                File.join(@tempdir, 'bar'),
-                ENV["GEM_HOME"],
               ]

    assert_equal expected, ps.path
@ -61,6 +61,32 @@ class TestGemPathSupport < Gem::TestCase
    assert_equal expected, ps.path
  end

+  def test_path_equals
+    ps = Gem::PathSupport.new
+
+    ps.send :path=, ['a', 'b']
+
+    assert_equal [@tempdir, 'a', 'b'], ps.path
+  end
+
+  def test_path_equals_empty
+    ps = Gem::PathSupport.new
+
+    ps.send :path=, nil
+
+    assert_equal [@tempdir, 'something'], ps.path
+  end
+
+  def test_path_equals_empty_no_GEM_PATH
+    ENV.delete 'GEM_PATH'
+
+    ps = Gem::PathSupport.new
+
+    ps.send :path=, nil
+
+    assert_equal [@tempdir, *Gem.default_path], ps.path
+  end
+
  def util_path
    ENV["GEM_PATH"].split(File::PATH_SEPARATOR)
  end
--- a/test/rubygems/test_gem_specification.rb
+++ b/test/rubygems/test_gem_specification.rb
@ -114,7 +114,7 @@ end
    assert_equal @current_version, new_spec.specification_version
  end

-  def test_self_from_yaml_syck_bug
+  def test_self_from_yaml_syck_date_bug
    # This is equivalent to (and totally valid) psych 1.0 output and
    # causes parse errors on syck.
    yaml = @a1.to_yaml
@ -128,6 +128,41 @@ end
    assert_kind_of Time, new_spec.date
  end

+  def test_self_from_yaml_syck_default_key_bug
+    skip 'syck default_key bug is only for ruby 1.8' unless RUBY_VERSION < '1.9'
+    # This is equivalent to (and totally valid) psych 1.0 output and
+    # causes parse errors on syck.
+    yaml = <<-YAML
+--- !ruby/object:Gem::Specification
+name: posix-spawn
+version: !ruby/object:Gem::Version
+  version: 0.3.6
+  prerelease: 
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: &70243867725240 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - =
+      - !ruby/object:Gem::Version
+        version: 0.7.6
+  type: :development
+  prerelease: false
+  version_requirements: *70243867725240
+platform: ruby
+files: []
+test_files: []
+bindir:
+    YAML
+
+    new_spec = with_syck do
+      Gem::Specification.from_yaml yaml
+    end
+
+    refute_match %r%DefaultKey%, new_spec.to_ruby
+  end
+
  def test_self_load
    full_path = @a2.spec_file
    write_file full_path do |io|
@ -141,6 +176,51 @@ end
    assert_equal @a2, spec
  end

+  def test_self_load_escape_curly
+    @a2.name = 'a};raise "improper escaping";%q{'
+
+    full_path = @a2.spec_file
+    write_file full_path do |io|
+      io.write @a2.to_ruby_for_cache
+    end
+
+    spec = Gem::Specification.load full_path
+
+    @a2.files.clear
+
+    assert_equal @a2, spec
+  end
+
+  def test_self_load_escape_interpolation
+    @a2.name = 'a#{raise %<improper escaping>}'
+
+    full_path = @a2.spec_file
+    write_file full_path do |io|
+      io.write @a2.to_ruby_for_cache
+    end
+
+    spec = Gem::Specification.load full_path
+
+    @a2.files.clear
+
+    assert_equal @a2, spec
+  end
+
+  def test_self_load_escape_quote
+    @a2.name = 'a";raise "improper escaping";"'
+
+    full_path = @a2.spec_file
+    write_file full_path do |io|
+      io.write @a2.to_ruby_for_cache
+    end
+
+    spec = Gem::Specification.load full_path
+
+    @a2.files.clear
+
+    assert_equal @a2, spec
+  end
+
  def test_self_load_legacy_ruby
    spec = Deprecate.skip_during do
      eval LEGACY_RUBY_SPEC
@ -754,19 +834,19 @@ end
 # -*- encoding: utf-8 -*-

 Gem::Specification.new do |s|
-  s.name = %q{a}
-  s.version = \"2\"
+  s.name = "a"
+  s.version = "2"

  s.required_rubygems_version = Gem::Requirement.new(\"> 0\") if s.respond_to? :required_rubygems_version=
-  s.authors = [%q{A User}]
-  s.date = %q{#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}}
-  s.description = %q{This is a test description}
-  s.email = %q{example@example.com}
-  s.files = [%q{lib/code.rb}]
-  s.homepage = %q{http://example.com}
-  s.require_paths = [%q{lib}]
-  s.rubygems_version = %q{#{Gem::VERSION}}
-  s.summary = %q{this is a summary}
+  s.authors = ["A User"]
+  s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}"
+  s.description = "This is a test description"
+  s.email = "example@example.com"
+  s.files = ["lib/code.rb"]
+  s.homepage = "http://example.com"
+  s.require_paths = ["lib"]
+  s.rubygems_version = "#{Gem::VERSION}"
+  s.summary = "this is a summary"

  if s.respond_to? :specification_version then
    s.specification_version = #{Gem::Specification::CURRENT_SPECIFICATION_VERSION}
@ -801,18 +881,18 @@ end
 # -*- encoding: utf-8 -*-

 Gem::Specification.new do |s|
-  s.name = %q{a}
-  s.version = \"2\"
+  s.name = "a"
+  s.version = "2"

  s.required_rubygems_version = Gem::Requirement.new(\"> 0\") if s.respond_to? :required_rubygems_version=
-  s.authors = [%q{A User}]
-  s.date = %q{#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}}
-  s.description = %q{This is a test description}
-  s.email = %q{example@example.com}
-  s.homepage = %q{http://example.com}
-  s.require_paths = [%q{lib}]
-  s.rubygems_version = %q{#{Gem::VERSION}}
-  s.summary = %q{this is a summary}
+  s.authors = ["A User"]
+  s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}"
+  s.description = "This is a test description"
+  s.email = "example@example.com"
+  s.homepage = "http://example.com"
+  s.require_paths = ["lib"]
+  s.rubygems_version = "#{Gem::VERSION}"
+  s.summary = "this is a summary"

  if s.respond_to? :specification_version then
    s.specification_version = #{Gem::Specification::CURRENT_SPECIFICATION_VERSION}
@ -848,26 +928,26 @@ end
 # -*- encoding: utf-8 -*-

 Gem::Specification.new do |s|
-  s.name = %q{a}
-  s.version = \"1\"
+  s.name = "a"
+  s.version = "1"
  s.platform = Gem::Platform.new(#{expected_platform})

  s.required_rubygems_version = Gem::Requirement.new(\">= 0\") if s.respond_to? :required_rubygems_version=
-  s.authors = [%q{A User}]
-  s.date = %q{#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}}
-  s.description = %q{This is a test description}
-  s.email = %q{example@example.com}
-  s.executables = [%q{exec}]
-  s.extensions = [%q{ext/a/extconf.rb}]
-  s.files = [%q{lib/code.rb}, %q{test/suite.rb}, %q{bin/exec}, %q{ext/a/extconf.rb}]
-  s.homepage = %q{http://example.com}
-  s.licenses = [%q{MIT}]
-  s.require_paths = [%q{lib}]
-  s.requirements = [%q{A working computer}]
-  s.rubyforge_project = %q{example}
-  s.rubygems_version = %q{#{Gem::VERSION}}
-  s.summary = %q{this is a summary}
-  s.test_files = [%q{test/suite.rb}]
+  s.authors = ["A User"]
+  s.date = "#{Gem::Specification::TODAY.strftime "%Y-%m-%d"}"
+  s.description = "This is a test description"
+  s.email = "example@example.com"
+  s.executables = ["exec"]
+  s.extensions = ["ext/a/extconf.rb"]
+  s.files = ["lib/code.rb", "test/suite.rb", "bin/exec", "ext/a/extconf.rb"]
+  s.homepage = "http://example.com"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.requirements = ["A working computer"]
+  s.rubyforge_project = "example"
+  s.rubygems_version = "#{Gem::VERSION}"
+  s.summary = "this is a summary"
+  s.test_files = ["test/suite.rb"]

  if s.respond_to? :specification_version then
    s.specification_version = 3