Sophie

Sophie

distrib > Mageia > 6 > armv7hl > media > core-updates-src > by-pkgid > 579ec31679d802214071dd38321052b7 > files > 5

jruby-1.7.22-5.1.mga6.src.rpm

From: Markus Koschany <apo@debian.org>
Date: Sun, 29 Apr 2018 21:41:01 +0200
Subject: CVE-2018-1000077

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
Origin: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964
---
 lib/ruby/shared/rubygems/specification.rb                 | 15 +++++++++++----
 test/externals/ruby1.9/rubygems/test_gem_specification.rb | 13 +++++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/lib/ruby/shared/rubygems/specification.rb b/lib/ruby/shared/rubygems/specification.rb
index eb89c4c..2ef709a 100644
--- a/lib/ruby/shared/rubygems/specification.rb
+++ b/lib/ruby/shared/rubygems/specification.rb
@@ -13,6 +13,7 @@ require 'rubygems/deprecate'
 require 'rubygems/basic_specification'
 require 'rubygems/stub_specification'
 require 'rubygems/util/stringio'
+require 'uri'
 
 ##
 # The Specification class contains the information for a Gem.  Typically
@@ -2601,10 +2602,16 @@ http://opensource.org/licenses/alphabetical
       raise Gem::InvalidSpecificationException, "#{lazy} is not a summary"
     end
 
-    if homepage and not homepage.empty? and
-       homepage !~ /\A[a-z][a-z\d+.-]*:/i then
-      raise Gem::InvalidSpecificationException,
-            "\"#{homepage}\" is not a URI"
+    # Make sure a homepage is valid HTTP/HTTPS URI
+    if homepage and not homepage.empty?
+      begin
+        homepage_uri = URI.parse(homepage)
+        unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
+          raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI"
+        end
+      rescue URI::InvalidURIError
+        raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI"
+      end
     end
 
     # Warnings
diff --git a/test/externals/ruby1.9/rubygems/test_gem_specification.rb b/test/externals/ruby1.9/rubygems/test_gem_specification.rb
index aa648c9..5541f7f 100644
--- a/test/externals/ruby1.9/rubygems/test_gem_specification.rb
+++ b/test/externals/ruby1.9/rubygems/test_gem_specification.rb
@@ -1454,6 +1454,19 @@ end
       end
 
       assert_equal '"over at my cool site" is not a URI', e.message
+
+      @a1.homepage = 'ftp://rubygems.org'
+
+      e = assert_raises Gem::InvalidSpecificationException do
+        @a1.validate
+      end
+
+      assert_equal '"ftp://rubygems.org" is not a URI', e.message
+
+      @a1.homepage = 'http://rubygems.org'
+
+      assert_equal true, @a1.validate
+
     end
   end

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional