e1890f92f2
Fix object taint bypassing in DL and Fiddle (CVE-2013-2065).
153 lines
6.1 KiB
Diff
153 lines
6.1 KiB
Diff
From b95b9942361104dc5b7fd08eb4970f893d8c1a54 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
|
Date: Wed, 13 Feb 2013 13:12:30 +0100
|
|
Subject: [PATCH 1/3] Remove duplicated check.
|
|
|
|
The loaded specifications are rejected already in #gather_dependencies,
|
|
so this condition cannot trigger.
|
|
---
|
|
lib/rubygems/dependency_installer.rb | 3 ---
|
|
1 file changed, 3 deletions(-)
|
|
|
|
diff --git a/lib/rubygems/dependency_installer.rb b/lib/rubygems/dependency_installer.rb
|
|
index d811f62..dffa8df 100644
|
|
--- a/lib/rubygems/dependency_installer.rb
|
|
+++ b/lib/rubygems/dependency_installer.rb
|
|
@@ -330,9 +330,6 @@ class Gem::DependencyInstaller
|
|
|
|
last = @gems_to_install.size - 1
|
|
@gems_to_install.each_with_index do |spec, index|
|
|
- # REFACTOR more current spec set hardcoding, should be abstracted?
|
|
- next if Gem::Specification.include?(spec) and index != last
|
|
-
|
|
# TODO: make this sorta_verbose so other users can benefit from it
|
|
say "Installing gem #{spec.full_name}" if Gem.configuration.really_verbose
|
|
|
|
--
|
|
1.8.1.2
|
|
|
|
|
|
From 2fa9087b1986db6c7945c0f997fed2bfff5ce06a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
|
Date: Wed, 13 Feb 2013 15:47:47 +0100
|
|
Subject: [PATCH 2/3] Do not modify global Specification.dirs during
|
|
installation.
|
|
|
|
While gems are installed into --install-dir just fine even without
|
|
modifications of Specification.dirs, change in it makes inaccessible
|
|
gems already present on the system.
|
|
---
|
|
lib/rubygems/dependency_installer.rb | 15 ++++++---------
|
|
1 file changed, 6 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/lib/rubygems/dependency_installer.rb b/lib/rubygems/dependency_installer.rb
|
|
index dffa8df..841f26a 100644
|
|
--- a/lib/rubygems/dependency_installer.rb
|
|
+++ b/lib/rubygems/dependency_installer.rb
|
|
@@ -57,17 +57,14 @@ class Gem::DependencyInstaller
|
|
# :build_args:: See Gem::Installer::new
|
|
|
|
def initialize(options = {})
|
|
- @install_dir = options[:install_dir] || Gem.dir
|
|
|
|
if options[:install_dir] then
|
|
- # HACK shouldn't change the global settings, needed for -i behavior
|
|
- # maybe move to the install command? See also github #442
|
|
- Gem::Specification.dirs = @install_dir
|
|
- Gem.ensure_gem_subdirectories @install_dir
|
|
+ Gem.ensure_gem_subdirectories options[:install_dir]
|
|
end
|
|
|
|
options = DEFAULT_OPTIONS.merge options
|
|
|
|
+ @install_dir = options[:install_dir]
|
|
@bin_dir = options[:bin_dir]
|
|
@dev_shallow = options[:dev_shallow]
|
|
@development = options[:development]
|
|
@@ -92,7 +89,7 @@ class Gem::DependencyInstaller
|
|
@installed_gems = []
|
|
@toplevel_specs = nil
|
|
|
|
- @cache_dir = options[:cache_dir] || @install_dir
|
|
+ @cache_dir = options[:cache_dir] || @install_dir || Gem.dir
|
|
|
|
# Set with any errors that SpecFetcher finds while search through
|
|
# gemspecs for a dep
|
|
@@ -202,7 +199,7 @@ class Gem::DependencyInstaller
|
|
# that this isn't dependent only on the currently installed gems
|
|
dependency_list.specs.reject! { |spec|
|
|
not keep_names.include?(spec.full_name) and
|
|
- Gem::Specification.include?(spec)
|
|
+ (!@install_dir && Gem::Specification.include?(spec))
|
|
}
|
|
|
|
unless dependency_list.ok? or @ignore_dependencies or @force then
|
|
@@ -254,7 +251,7 @@ class Gem::DependencyInstaller
|
|
to_do.push t.spec
|
|
end
|
|
|
|
- results.remove_installed! dep
|
|
+ results.remove_installed! dep unless @install_dir
|
|
|
|
@available << results
|
|
results.inject_into_list dependency_list
|
|
@@ -360,7 +357,7 @@ class Gem::DependencyInstaller
|
|
:force => @force,
|
|
:format_executable => @format_executable,
|
|
:ignore_dependencies => @ignore_dependencies,
|
|
- :install_dir => @install_dir,
|
|
+ :install_dir => (@install_dir || Gem.dir),
|
|
:security_policy => @security_policy,
|
|
:user_install => @user_install,
|
|
:wrappers => @wrappers,
|
|
--
|
|
1.8.1.2
|
|
|
|
|
|
From d473204ce920702dd87257db49355929f31530d4 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
|
|
Date: Fri, 15 Feb 2013 17:02:44 +0100
|
|
Subject: [PATCH 3/3] Default to Gem.dir as late as possible.
|
|
|
|
---
|
|
lib/rubygems/dependency_installer.rb | 2 +-
|
|
lib/rubygems/installer.rb | 4 ++--
|
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/lib/rubygems/dependency_installer.rb b/lib/rubygems/dependency_installer.rb
|
|
index 841f26a..abcfa0f 100644
|
|
--- a/lib/rubygems/dependency_installer.rb
|
|
+++ b/lib/rubygems/dependency_installer.rb
|
|
@@ -357,7 +357,7 @@ class Gem::DependencyInstaller
|
|
:force => @force,
|
|
:format_executable => @format_executable,
|
|
:ignore_dependencies => @ignore_dependencies,
|
|
- :install_dir => (@install_dir || Gem.dir),
|
|
+ :install_dir => @install_dir,
|
|
:security_policy => @security_policy,
|
|
:user_install => @user_install,
|
|
:wrappers => @wrappers,
|
|
diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb
|
|
index 780a88b..6543130 100644
|
|
--- a/lib/rubygems/installer.rb
|
|
+++ b/lib/rubygems/installer.rb
|
|
@@ -537,13 +537,13 @@ class Gem::Installer
|
|
:bin_dir => nil,
|
|
:env_shebang => false,
|
|
:force => false,
|
|
- :install_dir => Gem.dir,
|
|
:only_install_dir => false
|
|
}.merge options
|
|
|
|
@env_shebang = options[:env_shebang]
|
|
@force = options[:force]
|
|
- @gem_home = options[:install_dir]
|
|
+ @install_dir = options[:install_dir]
|
|
+ @gem_home = options[:install_dir] || Gem.dir
|
|
@ignore_dependencies = options[:ignore_dependencies]
|
|
@format_executable = options[:format_executable]
|
|
@security_policy = options[:security_policy]
|
|
--
|
|
1.8.1.2
|
|
|