From: Markus Koschany <apo@debian.org> Date: Sun, 29 Apr 2018 21:41:01 +0200 Subject: CVE-2018-1000077 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 Origin: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964 --- lib/ruby/shared/rubygems/specification.rb | 15 +++++++++++---- test/externals/ruby1.9/rubygems/test_gem_specification.rb | 13 +++++++++++++ 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/lib/ruby/shared/rubygems/specification.rb b/lib/ruby/shared/rubygems/specification.rb index eb89c4c..2ef709a 100644 --- a/lib/ruby/shared/rubygems/specification.rb +++ b/lib/ruby/shared/rubygems/specification.rb @@ -13,6 +13,7 @@ require 'rubygems/deprecate' require 'rubygems/basic_specification' require 'rubygems/stub_specification' require 'rubygems/util/stringio' +require 'uri' ## # The Specification class contains the information for a Gem. Typically @@ -2601,10 +2602,16 @@ http://opensource.org/licenses/alphabetical raise Gem::InvalidSpecificationException, "#{lazy} is not a summary" end - if homepage and not homepage.empty? and - homepage !~ /\A[a-z][a-z\d+.-]*:/i then - raise Gem::InvalidSpecificationException, - "\"#{homepage}\" is not a URI" + # Make sure a homepage is valid HTTP/HTTPS URI + if homepage and not homepage.empty? + begin + homepage_uri = URI.parse(homepage) + unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class + raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI" + end + rescue URI::InvalidURIError + raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI" + end end # Warnings diff --git a/test/externals/ruby1.9/rubygems/test_gem_specification.rb b/test/externals/ruby1.9/rubygems/test_gem_specification.rb index aa648c9..5541f7f 100644 --- a/test/externals/ruby1.9/rubygems/test_gem_specification.rb +++ b/test/externals/ruby1.9/rubygems/test_gem_specification.rb @@ -1454,6 +1454,19 @@ end end assert_equal '"over at my cool site" is not a URI', e.message + + @a1.homepage = 'ftp://rubygems.org' + + e = assert_raises Gem::InvalidSpecificationException do + @a1.validate + end + + assert_equal '"ftp://rubygems.org" is not a URI', e.message + + @a1.homepage = 'http://rubygems.org' + + assert_equal true, @a1.validate + end end