LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR) lib$(RUBY_SO_NAME).so'
],
[linux* | gnu* | k*bsd*-gnu | atheos* | kopensolaris*-gnu | haiku*], [
- LIBRUBY_DLDFLAGS='-Wl,-soname,lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR)'" $LDFLAGS_OPTDIR"
+ LIBRUBY_DLDFLAGS='-Wl,-soname,lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR)'" $LDFLAGS $LDFLAGS_OPTDIR"
LIBRUBY_ALIASES='lib$(RUBY_SO_NAME).so.$(MAJOR).$(MINOR) lib$(RUBY_SO_NAME).so'
if test "$load_relative" = yes; then
libprefix="'\$\${ORIGIN}/../${libdir_basename}'"
static VALUE dir_close(VALUE);
-#define GlobPathValue(str, safe) \
- /* can contain null bytes as separators */ \
- (!RB_TYPE_P((str), T_STRING) ? \
- (void)FilePathValue(str) : \
- (void)(check_safe_glob((str), (safe)), \
- check_glob_encoding(str), (str)))
-#define check_safe_glob(str, safe) ((safe) ? rb_check_safe_obj(str) : (void)0)
-#define check_glob_encoding(str) rb_enc_check((str), rb_enc_from_encoding(rb_usascii_encoding()))
-
static VALUE
dir_s_alloc(VALUE klass)
{
}
}
- GlobPathValue(dirname, FALSE);
+ FilePathValue(dirname);
orig = rb_str_dup_frozen(dirname);
dirname = rb_str_encode_ospath(dirname);
dirname = rb_str_dup_frozen(dirname);
long offset = 0;
VALUE ary;
- GlobPathValue(str, TRUE);
+ /* can contain null bytes as separators */
+ if (!RB_TYPE_P((str), T_STRING)) {
+ FilePathValue(str);
+ }
+ else {
+ rb_check_safe_obj(str);
+ rb_enc_check(str, rb_enc_from_encoding(rb_usascii_encoding()));
+ }
ary = rb_ary_new();
while (offset < RSTRING_LEN(str)) {
for (i = 0; i < argc; ++i) {
int status;
VALUE str = argv[i];
- GlobPathValue(str, TRUE);
+ FilePathValue(str);
status = push_glob(ary, str, flags);
if (status) GLOB_JUMP_TAG(status);
}
# -*- ruby -*-
_VERSION = "1.2.8"
-date = %w$Date:: $[1]
Gem::Specification.new do |s|
s.name = "bigdecimal"
s.version = _VERSION
- s.date = date
+ s.date = RUBY_RELEASE_DATE
s.license = 'ruby'
s.summary = "Arbitrary-precision decimal floating-point number library."
s.homepage = "http://www.ruby-lang.org"
# -*- ruby -*-
_VERSION = "0.4.5"
-date = %w$Date:: $[1]
Gem::Specification.new do |s|
s.name = "io-console"
s.version = _VERSION
- s.date = date
+ s.date = RUBY_RELEASE_DATE
s.summary = "Console interface"
s.email = "nobu@ruby-lang.org"
s.description = "add console capabilities to IO instances."
char *result;
if (len <= 0) return NULL;
result = ALLOC_N(char, len);
- memccpy(result, ptr, 0, len);
+ memcpy(result, ptr, len);
return result;
}
}
} else {
if (state->indent) ruby_xfree(state->indent);
- state->indent = strdup(RSTRING_PTR(indent));
+ state->indent = fstrndup(RSTRING_PTR(indent), len);
state->indent_len = len;
}
return Qnil;
}
} else {
if (state->space) ruby_xfree(state->space);
- state->space = strdup(RSTRING_PTR(space));
+ state->space = fstrndup(RSTRING_PTR(space), len);
state->space_len = len;
}
return Qnil;
}
} else {
if (state->space_before) ruby_xfree(state->space_before);
- state->space_before = strdup(RSTRING_PTR(space_before));
+ state->space_before = fstrndup(RSTRING_PTR(space_before), len);
state->space_before_len = len;
}
return Qnil;
}
} else {
if (state->object_nl) ruby_xfree(state->object_nl);
- state->object_nl = strdup(RSTRING_PTR(object_nl));
+ state->object_nl = fstrndup(RSTRING_PTR(object_nl), len);
state->object_nl_len = len;
}
return Qnil;
}
} else {
if (state->array_nl) ruby_xfree(state->array_nl);
- state->array_nl = strdup(RSTRING_PTR(array_nl));
+ state->array_nl = fstrndup(RSTRING_PTR(array_nl), len);
state->array_nl_len = len;
}
return Qnil;
#ifndef _GENERATOR_H_
#define _GENERATOR_H_
-#include <string.h>
#include <math.h>
#include <ctype.h>
Gem::Specification.new do |s|
s.name = "json"
s.version = "1.8.3"
+ s.date = RUBY_RELEASE_DATE
s.summary = "This json is bundled with Ruby"
s.executables = []
s.files = ["json.rb", "json/add/bigdecimal.rb", "json/add/complex.rb", "json/add/core.rb", "json/add/date.rb", "json/add/date_time.rb", "json/add/exception.rb", "json/add/ostruct.rb", "json/add/range.rb", "json/add/rational.rb", "json/add/regexp.rb", "json/add/struct.rb", "json/add/symbol.rb", "json/add/time.rb", "json/common.rb", "json/ext.rb", "json/ext/generator.bundle", "json/ext/parser.bundle", "json/generic_object.rb", "json/version.rb"]
# frozen_string_literal: false
module JSON
# JSON version
- VERSION = '1.8.3'
+ VERSION = '1.8.3.1'
VERSION_ARRAY = VERSION.split(/\./).map { |x| x.to_i } # :nodoc:
VERSION_MAJOR = VERSION_ARRAY[0] # :nodoc:
VERSION_MINOR = VERSION_ARRAY[1] # :nodoc:
{
VALUE value, asn1data, ary;
int infinite;
- long off = *offset;
+ long available_len, off = *offset;
infinite = (j == 0x21);
ary = rb_ary_new();
- while (length > 0 || infinite) {
+ available_len = infinite ? max_len : length;
+ while (available_len > 0) {
long inner_read = 0;
- value = ossl_asn1_decode0(pp, max_len, &off, depth + 1, yield, &inner_read);
+ value = ossl_asn1_decode0(pp, available_len, &off, depth + 1, yield, &inner_read);
*num_read += inner_read;
- max_len -= inner_read;
+ available_len -= inner_read;
rb_ary_push(ary, value);
- if (length > 0)
- length -= inner_read;
if (infinite &&
NUM2INT(ossl_asn1_get_tag(value)) == V_ASN1_EOC &&
if(j & V_ASN1_CONSTRUCTED) {
*pp += hlen;
off += hlen;
- asn1data = int_ossl_asn1_decode0_cons(pp, length, len, &off, depth, yield, j, tag, tag_class, &inner_read);
+ asn1data = int_ossl_asn1_decode0_cons(pp, length - hlen, len, &off, depth, yield, j, tag, tag_class, &inner_read);
inner_read += hlen;
}
else {
*/
VALUE cCipher;
VALUE eCipherError;
+static ID id_key_set;
static VALUE ossl_cipher_alloc(VALUE klass);
static void ossl_cipher_free(void *ptr);
EVP_CIPHER_CTX *ctx;
const EVP_CIPHER *cipher;
char *name;
- unsigned char key[EVP_MAX_KEY_LENGTH];
name = StringValuePtr(str);
GetCipherInit(self, ctx);
if (!(cipher = EVP_get_cipherbyname(name))) {
ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%s)", name);
}
- /*
- * The EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows
- * uninitialized key, but other EVPs (such as AES) does not allow it.
- * Calling EVP_CipherUpdate() without initializing key causes SEGV so we
- * set the data filled with "\0" as the key by default.
- */
- memset(key, 0, EVP_MAX_KEY_LENGTH);
- if (EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, -1) != 1)
+ if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1)
ossl_raise(eCipherError, NULL);
return self;
ossl_raise(eCipherError, NULL);
}
+ if (p_key)
+ rb_ivar_set(self, id_key_set, Qtrue);
+
return self;
}
OPENSSL_cleanse(key, sizeof key);
OPENSSL_cleanse(iv, sizeof iv);
+ rb_ivar_set(self, id_key_set, Qtrue);
+
return Qnil;
}
VALUE data, str;
rb_scan_args(argc, argv, "11", &data, &str);
+ if (!RTEST(rb_attr_get(self, id_key_set)))
+ ossl_raise(eCipherError, "key not set");
StringValue(data);
in = (unsigned char *)RSTRING_PTR(data);
if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1)
ossl_raise(eCipherError, NULL);
+ rb_ivar_set(self, id_key_set, Qtrue);
+
return key;
}
rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0);
rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0);
rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1);
+
+ id_key_set = rb_intern_const("key_set");
}
result = ossl_x509name_cmp0(self, other);
if (result < 0) return INT2FIX(-1);
- if (result > 1) return INT2FIX(1);
+ if (result > 0) return INT2FIX(1);
return INT2FIX(0);
}
arg->sockaddrlen, 0);
}
+static VALUE
+unixsock_path_value(VALUE path)
+{
+#ifdef __linux__
+#define TO_STR_FOR_LINUX_ABSTRACT_NAMESPACE 0
+
+ VALUE name = path;
+#if TO_STR_FOR_LINUX_ABSTRACT_NAMESPACE
+ const int isstr = !NIL_P(name = rb_check_string_type(name));
+#else
+ const int isstr = RB_TYPE_P(name, T_STRING);
+#endif
+ if (isstr) {
+ if (RSTRING_LEN(name) == 0 || RSTRING_PTR(name)[0] == '\0') {
+ rb_check_safe_obj(name);
+ return name; /* ignore encoding */
+ }
+ }
+#endif
+ return rb_get_path(path);
+}
+
VALUE
rsock_init_unixsock(VALUE sock, VALUE path, int server)
{
int fd, status;
rb_io_t *fptr;
- SafeStringValue(path);
+ path = unixsock_path_value(path);
INIT_SOCKADDR_UN(&sockaddr, sizeof(struct sockaddr_un));
if (sizeof(sockaddr.sun_path) < (size_t)RSTRING_LEN(path)) {
LIBS = #{$LIBRUBYARG} #{$libs} #{$LIBS}
ORIG_SRCS = #{orig_srcs.collect(&File.method(:basename)).join(' ')}
SRCS = $(ORIG_SRCS) #{(srcs - orig_srcs).collect(&File.method(:basename)).join(' ')}
-OBJS = #{$objs.join(" ")}
+OBJS = #{$objs.sort.join(" ")}
HDRS = #{hdrs.map{|h| '$(srcdir)/' + File.basename(h)}.join(' ')}
TARGET = #{target}
TARGET_NAME = #{target && target[/\A\w+/]}
if localfile
if @resume
rest_offset = File.size?(localfile)
- f = open(localfile, "a")
+ f = File.open(localfile, "a")
else
rest_offset = nil
- f = open(localfile, "w")
+ f = File.open(localfile, "w")
end
elsif !block_given?
result = String.new
f = nil
result = nil
if localfile
- f = open(localfile, "w")
+ f = File.open(localfile, "w")
elsif !block_given?
result = String.new
end
else
rest_offset = nil
end
- f = open(localfile)
+ f = File.open(localfile)
begin
f.binmode
if rest_offset
# passing in the transmitted data one line at a time.
#
def puttextfile(localfile, remotefile = File.basename(localfile), &block) # :yield: line
- f = open(localfile)
+ f = File.open(localfile)
begin
storlines("STOR #{remotefile}", f, &block)
ensure
private
+ def validate_line(line)
+ # A bare CR or LF is not allowed in RFC5321.
+ if /[\r\n]/ =~ line
+ raise ArgumentError, "A line must not contain CR or LF"
+ end
+ end
+
def getok(reqline)
+ validate_line reqline
res = critical {
@socket.writeline reqline
recv_response()
end
def get_response(reqline)
+ validate_line reqline
@socket.writeline reqline
recv_response()
end
debug_msg "Writing gzipped search index to %s" % outfile
Zlib::GzipWriter.open(outfile) do |gz|
- gz.mtime = File.mtime(search_index_file)
+ gz.mtime = -1
gz.orig_name = search_index_file.basename.to_s
gz.write search_index
gz.close
debug_msg "Writing gzipped file to %s" % outfile
Zlib::GzipWriter.open(outfile) do |gz|
- gz.mtime = File.mtime(dest)
+ gz.mtime = -1
gz.orig_name = dest.basename.to_s
gz.write data
gz.close
Gem::Specification.new do |s|
s.name = "rdoc"
s.version = "4.2.1"
+ s.date = RUBY_RELEASE_DATE
s.summary = "This rdoc is bundled with Ruby"
s.executables = ["rdoc", "ri"]
s.files = ["rdoc.rb", "rdoc/alias.rb", "rdoc/anon_class.rb", "rdoc/any_method.rb", "rdoc/attr.rb", "rdoc/class_module.rb", "rdoc/code_object.rb", "rdoc/code_objects.rb", "rdoc/comment.rb", "rdoc/constant.rb", "rdoc/context.rb", "rdoc/context/section.rb", "rdoc/cross_reference.rb", "rdoc/encoding.rb", "rdoc/erb_partial.rb", "rdoc/erbio.rb", "rdoc/extend.rb", "rdoc/generator.rb", "rdoc/generator/darkfish.rb", "rdoc/generator/json_index.rb", "rdoc/generator/markup.rb", "rdoc/generator/pot.rb", "rdoc/generator/pot/message_extractor.rb", "rdoc/generator/pot/po.rb", "rdoc/generator/pot/po_entry.rb", "rdoc/generator/ri.rb", "rdoc/ghost_method.rb", "rdoc/i18n.rb", "rdoc/i18n/locale.rb", "rdoc/i18n/text.rb", "rdoc/include.rb", "rdoc/known_classes.rb", "rdoc/markdown.rb", "rdoc/markdown/entities.rb", "rdoc/markdown/literals_1_9.rb", "rdoc/markup.rb", "rdoc/markup/attr_changer.rb", "rdoc/markup/attr_span.rb", "rdoc/markup/attribute_manager.rb", "rdoc/markup/attributes.rb", "rdoc/markup/blank_line.rb", "rdoc/markup/block_quote.rb", "rdoc/markup/document.rb", "rdoc/markup/formatter.rb", "rdoc/markup/formatter_test_case.rb", "rdoc/markup/hard_break.rb", "rdoc/markup/heading.rb", "rdoc/markup/include.rb", "rdoc/markup/indented_paragraph.rb", "rdoc/markup/inline.rb", "rdoc/markup/list.rb", "rdoc/markup/list_item.rb", "rdoc/markup/paragraph.rb", "rdoc/markup/parser.rb", "rdoc/markup/pre_process.rb", "rdoc/markup/raw.rb", "rdoc/markup/rule.rb", "rdoc/markup/special.rb", "rdoc/markup/text_formatter_test_case.rb", "rdoc/markup/to_ansi.rb", "rdoc/markup/to_bs.rb", "rdoc/markup/to_html.rb", "rdoc/markup/to_html_crossref.rb", "rdoc/markup/to_html_snippet.rb", "rdoc/markup/to_joined_paragraph.rb", "rdoc/markup/to_label.rb", "rdoc/markup/to_markdown.rb", "rdoc/markup/to_rdoc.rb", "rdoc/markup/to_table_of_contents.rb", "rdoc/markup/to_test.rb", "rdoc/markup/to_tt_only.rb", "rdoc/markup/verbatim.rb", "rdoc/meta_method.rb", "rdoc/method_attr.rb", "rdoc/mixin.rb", "rdoc/normal_class.rb", "rdoc/normal_module.rb", "rdoc/options.rb", "rdoc/parser.rb", "rdoc/parser/c.rb", "rdoc/parser/changelog.rb", "rdoc/parser/markdown.rb", "rdoc/parser/rd.rb", "rdoc/parser/ruby.rb", "rdoc/parser/ruby_tools.rb", "rdoc/parser/simple.rb", "rdoc/parser/text.rb", "rdoc/rd.rb", "rdoc/rd/block_parser.rb", "rdoc/rd/inline.rb", "rdoc/rd/inline_parser.rb", "rdoc/rdoc.rb", "rdoc/require.rb", "rdoc/ri.rb", "rdoc/ri/driver.rb", "rdoc/ri/formatter.rb", "rdoc/ri/paths.rb", "rdoc/ri/store.rb", "rdoc/ri/task.rb", "rdoc/ruby_lex.rb", "rdoc/ruby_token.rb", "rdoc/rubygems_hook.rb", "rdoc/servlet.rb", "rdoc/single_class.rb", "rdoc/stats.rb", "rdoc/stats/normal.rb", "rdoc/stats/quiet.rb", "rdoc/stats/verbose.rb", "rdoc/store.rb", "rdoc/task.rb", "rdoc/test_case.rb", "rdoc/text.rb", "rdoc/token_stream.rb", "rdoc/tom_doc.rb", "rdoc/top_level.rb"]
end
end
- file_list.flatten
+ file_list.flatten.sort
end
##
unless @initialized
@name2addr = {}
@addr2name = {}
- open(@filename, 'rb') {|f|
+ File.open(@filename, 'rb') {|f|
f.each {|line|
line.sub!(/#.*/, '')
addr, hostname, *aliases = line.split(/\s+/)
require 'thread'
module Gem
- VERSION = '2.5.2'
+ VERSION = '2.5.2.1'
end
# Must be first since it unloads the prelude from 1.9.2
unless test_syck
begin
- gem 'psych', '>= 1.2.1'
+ gem 'psych', '>= 2.0.0'
rescue Gem::LoadError
# It's OK if the user does not have the psych gem installed. We will
# attempt to require the stdlib version
end
require 'yaml'
+ require 'rubygems/safe_yaml'
# If we're supposed to be using syck, then we may have to force
# activate it via the YAML::ENGINE API.
end
with_response response do |resp|
- owners = YAML.load resp.body
+ owners = Gem::SafeYAML.load resp.body
say "Owners for gem: #{name}"
owners.each do |owner|
end
end
- output << make_entry(matching_tuples, platforms)
+ output << clean_text(make_entry(matching_tuples, platforms))
end
end
end
def spec_summary entry, spec
- entry << "\n\n" << format_text(spec.summary, 68, 4)
+ summary = truncate_text(spec.summary, "the summary for #{spec.full_name}")
+ entry << "\n\n" << format_text(summary, 68, 4)
end
end
return {} unless filename and File.exist? filename
begin
- content = YAML.load(File.read(filename))
+ content = Gem::SafeYAML.load(File.read(filename))
unless content.kind_of? Hash
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
return {}
unpack or File.writable?(gem_home)
end
+ def verify_spec_name
+ return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+ raise Gem::InstallError, "#{spec} has an invalid name"
+ end
+
##
# Return the text for an application file.
ensure_loadable_spec
+ verify_spec_name
+
if options[:install_as_default]
Gem.ensure_default_gem_subdirectories gem_home
else
File.dirname destination
end
- FileUtils.mkdir_p mkdir, mkdir_options
+ mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name
open destination, 'wb' do |out|
out.write entry.read
raise Gem::Package::PathError.new(filename, destination_dir) if
filename.start_with? '/'
- destination_dir = File.realpath destination_dir if
- File.respond_to? :realpath
+ destination_dir = realpath destination_dir
destination_dir = File.expand_path destination_dir
destination = File.join destination_dir, filename
destination = File.expand_path destination
raise Gem::Package::PathError.new(destination, destination_dir) unless
- destination.start_with? destination_dir
+ destination.start_with? destination_dir + '/'
destination.untaint
destination
end
+ def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name
+ destination_dir = realpath File.expand_path(destination_dir)
+ parts = mkdir.split(File::SEPARATOR)
+ parts.reduce do |path, basename|
+ path = realpath path unless path == ""
+ path = File.expand_path(path + File::SEPARATOR + basename)
+ lstat = File.lstat path rescue nil
+ if !lstat || !lstat.directory?
+ unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false)
+ raise Gem::Package::PathError.new(file_name, destination_dir)
+ end
+ end
+ path
+ end
+ end
+
##
# Loads a Gem::Specification from the TarEntry +entry+
@checksums = gem.seek 'checksums.yaml.gz' do |entry|
Zlib::GzipReader.wrap entry do |gz_io|
- YAML.load gz_io.read
+ Gem::SafeYAML.safe_load gz_io.read
end
end
end
raise Gem::Package::FormatError.new \
'package content (data.tar.gz) is missing', @gem
end
+
+ if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
+ raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
+ end
end
##
raise Gem::Package::FormatError.new(e.message, entry.full_name)
end
+ if File.respond_to? :realpath
+ def realpath file
+ File.realpath file
+ end
+ else
+ def realpath file
+ file
+ end
+ end
+
end
require 'rubygems/package/digest_io'
header << line
end
- YAML.load header
+ Gem::SafeYAML.safe_load header
end
##
fields = header.unpack UNPACK_FORMAT
new :name => fields.shift,
- :mode => fields.shift.oct,
- :uid => fields.shift.oct,
- :gid => fields.shift.oct,
- :size => fields.shift.oct,
- :mtime => fields.shift.oct,
- :checksum => fields.shift.oct,
+ :mode => strict_oct(fields.shift),
+ :uid => strict_oct(fields.shift),
+ :gid => strict_oct(fields.shift),
+ :size => strict_oct(fields.shift),
+ :mtime => strict_oct(fields.shift),
+ :checksum => strict_oct(fields.shift),
:typeflag => fields.shift,
:linkname => fields.shift,
:magic => fields.shift,
- :version => fields.shift.oct,
+ :version => strict_oct(fields.shift),
:uname => fields.shift,
:gname => fields.shift,
- :devmajor => fields.shift.oct,
- :devminor => fields.shift.oct,
+ :devmajor => strict_oct(fields.shift),
+ :devminor => strict_oct(fields.shift),
:prefix => fields.shift,
:empty => empty
end
+ def self.strict_oct(str)
+ return str.oct if str =~ /\A[0-7]*\z/
+ raise ArgumentError, "#{str.inspect} is not an octal string"
+ end
+
##
# Creates a new TarHeader using +vals+
digest_name == signer.digest_name
end
+ raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest
+
if signer.key then
signature = signer.sign signature_digest.digest
else
target = res.target.to_s.strip
- if /\.#{Regexp.quote(host)}\z/ =~ target
+ if URI("http://" + target).host.end_with?(".#{host}")
return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
end
--- /dev/null
+module Gem
+
+ ###
+ # This module is used for safely loading YAML specs from a gem. The
+ # `safe_load` method defined on this module is specifically designed for
+ # loading Gem specifications. For loading other YAML safely, please see
+ # Psych.safe_load
+
+ module SafeYAML
+ WHITELISTED_CLASSES = %w(
+ Symbol
+ Time
+ Date
+ Gem::Dependency
+ Gem::Platform
+ Gem::Requirement
+ Gem::Specification
+ Gem::Version
+ Gem::Version::Requirement
+ YAML::Syck::DefaultKey
+ Syck::DefaultKey
+ )
+
+ WHITELISTED_SYMBOLS = %w(
+ development
+ runtime
+ )
+
+ if ::YAML.respond_to? :safe_load
+ def self.safe_load input
+ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
+ end
+
+ def self.load input
+ ::YAML.safe_load(input, [::Symbol])
+ end
+ else
+ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
+ def self.safe_load input, *args
+ ::YAML.load input
+ end
+
+ def self.load input
+ ::YAML.load input
+ end
+ end
+ end
+end
executables = nil if executables.empty?
executables.last["is_last"] = true if executables
+ # Pre-process spec homepage for safety reasons
+ begin
+ homepage_uri = URI.parse(spec.homepage)
+ if [URI::HTTP, URI::HTTPS].member? homepage_uri.class
+ homepage_uri = spec.homepage
+ else
+ homepage_uri = "."
+ end
+ rescue URI::InvalidURIError
+ homepage_uri = "."
+ end
+
specs << {
"authors" => spec.authors.sort.join(", "),
"date" => spec.date.to_s,
"only_one_executable" => (executables && executables.size == 1),
"full_name" => spec.full_name,
"has_deps" => !deps.empty?,
- "homepage" => spec.homepage,
+ "homepage" => homepage_uri,
"name" => spec.name,
"rdoc_installed" => Gem::RDoc.new(spec).rdoc_installed?,
"ri_installed" => Gem::RDoc.new(spec).ri_installed?,
require 'rubygems/stub_specification'
require 'rubygems/util/list'
require 'stringio'
+require 'uri'
##
# The Specification class contains the information for a Gem. Typically
private_constant :LOAD_CACHE if defined? private_constant
+ VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc:
+
# :startdoc:
##
Gem.load_yaml
input = normalize_yaml_input input
- spec = YAML.load input
+ spec = Gem::SafeYAML.safe_load input
if spec && spec.class == FalseClass then
raise Gem::EndOfYAMLException
raise(Gem::InvalidSpecificationException,
"invalid date format in specification: #{date.inspect}")
end
- when Time, DateLike then
+ when Time then
+ Time.utc(date.utc.year, date.utc.month, date.utc.day)
+ when DateLike then
Time.utc(date.year, date.month, date.day)
else
TODAY
end
end
- unless String === name then
+ if !name.is_a?(String) then
+ raise Gem::InvalidSpecificationException,
+ "invalid value for attribute name: \"#{name.inspect}\" must be a string"
+ elsif name !~ /[a-zA-Z]/ then
raise Gem::InvalidSpecificationException,
- "invalid value for attribute name: \"#{name.inspect}\""
+ "invalid value for attribute name: #{name.dump} must include at least one letter"
+ elsif name !~ VALID_NAME_PATTERN then
+ raise Gem::InvalidSpecificationException,
+ "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores"
end
if raw_require_paths.empty? then
raise Gem::InvalidSpecificationException, "#{lazy} is not a summary"
end
- if homepage and not homepage.empty? and
- homepage !~ /\A[a-z][a-z\d+.-]*:/i then
- raise Gem::InvalidSpecificationException,
- "\"#{homepage}\" is not a URI"
+ # Make sure a homepage is valid HTTP/HTTPS URI
+ if homepage and not homepage.empty?
+ begin
+ homepage_uri = URI.parse(homepage)
+ unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
+ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
+ end
+ rescue URI::InvalidURIError
+ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
+ end
end
# Warnings
module Gem::Text
+ ##
+ # Remove any non-printable characters and make the text suitable for
+ # printing.
+ def clean_text(text)
+ text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze)
+ end
+
+ def truncate_text(text, description, max_length = 100_000)
+ raise ArgumentError, "max_length must be positive" unless max_length > 0
+ return text if text.size <= max_length
+ "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length]
+ end
+
##
# Wraps +text+ to +wrap+ characters and optionally indents by +indent+
# characters
def format_text(text, wrap, indent=0)
result = []
- work = text.dup
+ work = clean_text(text)
while work.length > wrap do
if work =~ /^(.{0,#{wrap}})[ \n]/ then
def make_tmpname((prefix, suffix), n)
prefix = (String.try_convert(prefix) or
raise ArgumentError, "unexpected prefix: #{prefix.inspect}")
+ prefix = prefix.delete("#{File::SEPARATOR}#{File::ALT_SEPARATOR}")
suffix &&= (String.try_convert(suffix) or
raise ArgumentError, "unexpected suffix: #{suffix.inspect}")
+ suffix &&= suffix.delete("#{File::SEPARATOR}#{File::ALT_SEPARATOR}")
t = Time.now.strftime("%Y%m%d")
path = "#{prefix}#{t}-#{$$}-#{rand(0x100000000).to_s(36)}".dup
path << "-#{n}" if n
ha2 = hexdigest(req.request_method, auth_req['uri'])
ha2_res = hexdigest("", auth_req['uri'])
elsif auth_req['qop'] == "auth-int"
- ha2 = hexdigest(req.request_method, auth_req['uri'],
- hexdigest(req.body))
- ha2_res = hexdigest("", auth_req['uri'], hexdigest(res.body))
+ body_digest = @h.new
+ req.body { |chunk| body_digest.update(chunk) }
+ body_digest = body_digest.hexdigest
+ ha2 = hexdigest(req.request_method, auth_req['uri'], body_digest)
+ ha2_res = hexdigest("", auth_req['uri'], body_digest)
end
if auth_req['qop'] == "auth" || auth_req['qop'] == "auth-int"
MAX_URI_LENGTH = 2083 # :nodoc:
+ # same as Mongrel, Thin and Puma
+ MAX_HEADER_LENGTH = (112 * 1024) # :nodoc:
+
def read_request_line(socket)
@request_line = read_line(socket, MAX_URI_LENGTH) if socket
- if @request_line.bytesize >= MAX_URI_LENGTH and @request_line[-1, 1] != LF
+ @request_bytes = @request_line.bytesize
+ if @request_bytes >= MAX_URI_LENGTH and @request_line[-1, 1] != LF
raise HTTPStatus::RequestURITooLarge
end
@request_time = Time.now
if socket
while line = read_line(socket)
break if /\A(#{CRLF}|#{LF})\z/om =~ line
+ if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH
+ raise HTTPStatus::RequestEntityTooLarge, 'headers too large'
+ end
@raw_header << line
end
end
def read_chunked(socket, block)
chunk_size, = read_chunk_size(socket)
while chunk_size > 0
- data = read_data(socket, chunk_size) # read chunk-data
- if data.nil? || data.bytesize != chunk_size
- raise BadRequest, "bad chunk data size."
- end
+ begin
+ sz = [ chunk_size, @buffer_size ].min
+ data = read_data(socket, sz) # read chunk-data
+ if data.nil? || data.bytesize != sz
+ raise HTTPStatus::BadRequest, "bad chunk data size."
+ end
+ block.call(data)
+ end while (chunk_size -= sz) > 0
+
read_line(socket) # skip CRLF
- block.call(data)
chunk_size, = read_chunk_size(socket)
end
read_header(socket) # trailer + CRLF
# WEBrick HTTP Servlet.
class HTTPResponse
+ class InvalidHeader < StandardError
+ end
##
# HTTP Response version
data = status_line()
@header.each{|key, value|
tmp = key.gsub(/\bwww|^te$|\b\w/){ $&.upcase }
- data << "#{tmp}: #{value}" << CRLF
+ data << "#{tmp}: #{check_header(value)}" << CRLF
}
@cookies.each{|cookie|
- data << "Set-Cookie: " << cookie.to_s << CRLF
+ data << "Set-Cookie: " << check_header(cookie.to_s) << CRLF
}
data << CRLF
_write_data(socket, data)
end
+ rescue InvalidHeader => e
+ @header.clear
+ @cookies.clear
+ set_error e
+ retry
end
##
def send_body(socket) # :nodoc:
if @body.respond_to? :readpartial then
send_body_io(socket)
+ elsif @body.respond_to?(:call) then
+ send_body_proc(socket)
else
send_body_string(socket)
end
host, port = @config[:ServerName], @config[:Port]
end
+ error_body(backtrace, ex, host, port)
+ end
+
+ private
+
+ def check_header(header_value)
+ if header_value =~ /\r\n/
+ raise InvalidHeader
+ else
+ header_value
+ end
+ end
+
+ # :stopdoc:
+
+ def error_body(backtrace, ex, host, port)
@body = ''
@body << <<-_end_of_html_
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
end
_write_data(socket, "0#{CRLF}#{CRLF}")
else
- size = @header['content-length'].to_i
- _send_file(socket, @body, 0, size)
- @sent_size = size
+ if %r{\Abytes (\d+)-(\d+)/\d+\z} =~ @header['content-range']
+ offset = $1.to_i
+ size = $2.to_i - offset + 1
+ else
+ offset = nil
+ size = @header['content-length']
+ size = size.to_i if size
+ end
+ begin
+ @sent_size = IO.copy_stream(@body, socket, size, offset)
+ rescue NotImplementedError
+ @body.seek(offset, IO::SEEK_SET)
+ @sent_size = IO.copy_stream(@body, socket, size)
+ end
end
ensure
@body.close
end
end
- def _send_file(output, input, offset, size)
- while offset > 0
- sz = @buffer_size < size ? @buffer_size : size
- buf = input.read(sz)
- offset -= buf.bytesize
+ def send_body_proc(socket)
+ if @request_method == "HEAD"
+ # do nothing
+ elsif chunked?
+ @body.call(ChunkedWrapper.new(socket, self))
+ _write_data(socket, "0#{CRLF}#{CRLF}")
+ else
+ size = @header['content-length'].to_i
+ @body.call(socket)
+ @sent_size = size
end
+ end
- if size == 0
- while buf = input.read(@buffer_size)
- _write_data(output, buf)
- end
- else
- while size > 0
- sz = @buffer_size < size ? @buffer_size : size
- buf = input.read(sz)
- _write_data(output, buf)
- size -= buf.bytesize
- end
+ class ChunkedWrapper
+ def initialize(socket, resp)
+ @socket = socket
+ @resp = resp
+ end
+
+ def write(buf)
+ return 0 if buf.empty?
+ socket = @socket
+ @resp.instance_eval {
+ size = buf.bytesize
+ data = "#{size.to_s(16)}#{CRLF}#{buf}#{CRLF}"
+ _write_data(socket, data)
+ data.clear
+ @sent_size += size
+ size
+ }
+ end
+
+ def <<(*buf)
+ write(buf)
+ self
end
end
k.sort!
k.reverse!
k.collect!{|path| Regexp.escape(path) }
- @scanner = Regexp.new("^(" + k.join("|") +")(?=/|$)")
+ @scanner = Regexp.new("\\A(" + k.join("|") +")(?=/|\\z)")
end
def normalize(dir)
ret = dir ? dir.dup : ""
- ret.sub!(%r|/+$|, "")
+ ret.sub!(%r|/+\z|, "")
ret
end
end
cgi_in.write("%8d" % dump.bytesize)
cgi_in.write(dump)
- if req.body and req.body.bytesize > 0
- cgi_in.write(req.body)
- end
+ req.body { |chunk| cgi_in.write(chunk) }
ensure
cgi_in.close
status = $?.exitstatus
return false
end
+ # returns a lambda for webrick/httpresponse.rb send_body_proc
+ def multipart_body(body, parts, boundary, mtype, filesize)
+ lambda do |socket|
+ begin
+ begin
+ first = parts.shift
+ last = parts.shift
+ socket.write(
+ "--#{boundary}#{CRLF}" \
+ "Content-Type: #{mtype}#{CRLF}" \
+ "Content-Range: bytes #{first}-#{last}/#{filesize}#{CRLF}" \
+ "#{CRLF}"
+ )
+
+ begin
+ IO.copy_stream(body, socket, last - first + 1, first)
+ rescue NotImplementedError
+ body.seek(first, IO::SEEK_SET)
+ IO.copy_stream(body, socket, last - first + 1)
+ end
+ socket.write(CRLF)
+ end while parts[0]
+ socket.write("--#{boundary}--#{CRLF}")
+ ensure
+ body.close
+ end
+ end
+ end
+
def make_partial_content(req, res, filename, filesize)
mtype = HTTPUtils::mime_type(filename, @config[:MimeTypes])
unless ranges = HTTPUtils::parse_range_header(req['range'])
if ranges.size > 1
time = Time.now
boundary = "#{time.sec}_#{time.usec}_#{Process::pid}"
- body = ''
- ranges.each{|range|
- first, last = prepare_range(range, filesize)
- next if first < 0
- io.pos = first
- content = io.read(last-first+1)
- body << "--" << boundary << CRLF
- body << "Content-Type: #{mtype}" << CRLF
- body << "Content-Range: bytes #{first}-#{last}/#{filesize}" << CRLF
- body << CRLF
- body << content
- body << CRLF
+ parts = []
+ ranges.each {|range|
+ prange = prepare_range(range, filesize)
+ next if prange[0] < 0
+ parts.concat(prange)
}
- raise HTTPStatus::RequestRangeNotSatisfiable if body.empty?
- body << "--" << boundary << "--" << CRLF
+ raise HTTPStatus::RequestRangeNotSatisfiable if parts.empty?
res["content-type"] = "multipart/byteranges; boundary=#{boundary}"
- res.body = body
+ if req.http_version < '1.1'
+ res['connection'] = 'close'
+ else
+ res.chunked = true
+ end
+ res.body = multipart_body(io.dup, parts, boundary, mtype, filesize)
elsif range = ranges[0]
first, last = prepare_range(range, filesize)
raise HTTPStatus::RequestRangeNotSatisfiable if first < 0
- if last == filesize - 1
- content = io.dup
- content.pos = first
- else
- io.pos = first
- content = io.read(last-first+1)
- end
res['content-type'] = mtype
res['content-range'] = "bytes #{first}-#{last}/#{filesize}"
res['content-length'] = last - first + 1
- res.body = content
+ res.body = io.dup
else
raise HTTPStatus::BadRequest
end
##
# Root of the HTTP status class hierarchy
class Status < StandardError
- def initialize(*args) # :nodoc:
- args[0] = AccessLog.escape(args[0]) unless args.empty?
- super(*args)
- end
class << self
attr_reader :code, :reason_phrase # :nodoc:
end
# * Otherwise it will return +arg+.inspect.
def format(arg)
if arg.is_a?(Exception)
- "#{arg.class}: #{arg.message}\n\t" <<
+ "#{arg.class}: #{AccessLog.escape(arg.message)}\n\t" <<
arg.backtrace.join("\n\t") << "\n"
elsif arg.respond_to?(:to_str)
- arg.to_str
+ AccessLog.escape(arg.to_str)
else
arg.inspect
end
StringValue(from);
ptr = RSTRING_PTR(from);
plen = RSTRING_LEN(from);
+ OBJ_INFECT(res, from);
if (len == 0 && type == 'm') {
encodes(res, ptr, plen, type, 0);
case 'M': /* quoted-printable encoded string */
from = rb_obj_as_string(NEXTFROM);
+ OBJ_INFECT(res, from);
if (len <= 1)
len = 72;
qpencode(res, from, len);
}
else {
t = StringValuePtr(from);
+ OBJ_INFECT(res, from);
rb_obj_taint(from);
}
if (!associates) {
else if (ISDIGIT(*p)) {
errno = 0;
len = STRTOUL(p, (char**)&p, 10);
- if (errno) {
+ if (len < 0 || errno) {
rb_raise(rb_eRangeError, "pack length too big");
}
}
if (p[-1] == '*' || len > (send - s) * 8)
len = (send - s) * 8;
bits = 0;
- UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
+ bitstr = rb_usascii_str_new(0, len);
+ OBJ_INFECT(bitstr, str);
t = RSTRING_PTR(bitstr);
for (i=0; i<len; i++) {
if (i & 7) bits >>= 1;
else bits = (unsigned char)*s++;
*t++ = (bits & 1) ? '1' : '0';
}
+ UNPACK_PUSH(bitstr);
}
break;
if (p[-1] == '*' || len > (send - s) * 8)
len = (send - s) * 8;
bits = 0;
- UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
+ bitstr = rb_usascii_str_new(0, len);
+ OBJ_INFECT(bitstr, str);
t = RSTRING_PTR(bitstr);
for (i=0; i<len; i++) {
if (i & 7) bits <<= 1;
else bits = (unsigned char)*s++;
*t++ = (bits & 128) ? '1' : '0';
}
+ UNPACK_PUSH(bitstr);
}
break;
if (p[-1] == '*' || len > (send - s) * 2)
len = (send - s) * 2;
bits = 0;
- UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
+ bitstr = rb_usascii_str_new(0, len);
+ OBJ_INFECT(bitstr, str);
t = RSTRING_PTR(bitstr);
for (i=0; i<len; i++) {
if (i & 1)
bits = (unsigned char)*s++;
*t++ = hexdigits[bits & 15];
}
+ UNPACK_PUSH(bitstr);
}
break;
if (p[-1] == '*' || len > (send - s) * 2)
len = (send - s) * 2;
bits = 0;
- UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
+ bitstr = rb_usascii_str_new(0, len);
+ OBJ_INFECT(bitstr, str);
t = RSTRING_PTR(bitstr);
for (i=0; i<len; i++) {
if (i & 1)
bits = (unsigned char)*s++;
*t++ = hexdigits[(bits >> 4) & 15];
}
+ UNPACK_PUSH(bitstr);
}
break;
fval = RFLOAT_VALUE(rb_Float(val));
if (isnan(fval) || isinf(fval)) {
const char *expr;
+ int elen;
+ char sign = '\0';
if (isnan(fval)) {
expr = "NaN";
expr = "Inf";
}
need = (int)strlen(expr);
- if ((!isnan(fval) && fval < 0.0) || (flags & FPLUS))
- need++;
+ elen = need;
+ i = 0;
+ if (!isnan(fval) && fval < 0.0)
+ sign = '-';
+ else if (flags & (FPLUS|FSPACE))
+ sign = (flags & FPLUS) ? '+' : ' ';
+ if (sign)
+ ++need;
if ((flags & FWIDTH) && need < width)
need = width;
- CHECK(need + 1);
- snprintf(&buf[blen], need + 1, "%*s", need, "");
+ FILL(' ', need);
if (flags & FMINUS) {
- if (!isnan(fval) && fval < 0.0)
- buf[blen++] = '-';
- else if (flags & FPLUS)
- buf[blen++] = '+';
- else if (flags & FSPACE)
- blen++;
- memcpy(&buf[blen], expr, strlen(expr));
+ if (sign)
+ buf[blen - need--] = sign;
+ memcpy(&buf[blen - need], expr, elen);
}
else {
- if (!isnan(fval) && fval < 0.0)
- buf[blen + need - strlen(expr) - 1] = '-';
- else if (flags & FPLUS)
- buf[blen + need - strlen(expr) - 1] = '+';
- else if ((flags & FSPACE) && need > width)
- blen++;
- memcpy(&buf[blen + need - strlen(expr)], expr,
- strlen(expr));
+ if (sign)
+ buf[blen - elen - 1] = sign;
+ memcpy(&buf[blen - elen], expr, elen);
}
- blen += strlen(&buf[blen]);
break;
}
--- /dev/null
+reason = "Network access not allowed during build in Debian"
+exclude :test_make_socket_ipv4_multicast, reason
+exclude :test_make_socket_ipv4_multicast_hops, reason
--- /dev/null
+reason = "Network access not allowed during build in Debian"
+exclude :test_make_socket_ipv4_multicast, reason
+exclude :test_ring_server_ipv4_multicast, reason
--- /dev/null
+# Found on Debian mips* buildds, this test consumes ~2GB RAM and
+# a lot of CPU time before failing. Note that the test failure
+# may point to an issue in the Array implementation.
+# https://bugs.ruby-lang.org/issues/12500
+exclude :test_aspawn_too_long_path, "RAM and time consuming test"
--- /dev/null
+# Found on Debian arm*, powerpc buildds
+exclude :test_prepend_after_refine_wb_miss, "time consuming test"
--- /dev/null
+exclude :test_gen_Pacific_Kiritimati_71, "https://bugs.ruby-lang.org/issues/14655"
+exclude :test_gen_Pacific_Kiritimati_89, "https://bugs.ruby-lang.org/issues/14655"
+exclude :test_gen_lisbon_99, "https://bugs.ruby-lang.org/issues/14655"
+exclude :test_pacific_kiritimati, "https://bugs.ruby-lang.org/issues/14655"
require "ostruct"
require "stringio"
require "tempfile"
+require "tmpdir"
class FTPTest < Test::Unit::TestCase
SERVER_ADDR = "127.0.0.1"
end
end
+ def test_getbinaryfile_command_injection
+ skip "| is not allowed in filename on Windows" if windows?
+ [false, true].each do |resume|
+ commands = []
+ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
+ server = create_ftp_server { |sock|
+ sock.print("220 (test_ftp).\r\n")
+ commands.push(sock.gets)
+ sock.print("331 Please specify the password.\r\n")
+ commands.push(sock.gets)
+ sock.print("230 Login successful.\r\n")
+ commands.push(sock.gets)
+ sock.print("200 Switching to Binary mode.\r\n")
+ line = sock.gets
+ commands.push(line)
+ host, port = process_port_or_eprt(sock, line)
+ commands.push(sock.gets)
+ sock.print("150 Opening BINARY mode data connection for |echo hello (#{binary_data.size} bytes)\r\n")
+ conn = TCPSocket.new(host, port)
+ binary_data.scan(/.{1,1024}/nm) do |s|
+ conn.print(s)
+ end
+ conn.shutdown(Socket::SHUT_WR)
+ conn.read
+ conn.close
+ sock.print("226 Transfer complete.\r\n")
+ }
+ begin
+ chdir_to_tmpdir do
+ begin
+ ftp = Net::FTP.new
+ ftp.resume = resume
+ ftp.read_timeout = 0.2
+ ftp.connect(SERVER_ADDR, server.port)
+ ftp.login
+ assert_match(/\AUSER /, commands.shift)
+ assert_match(/\APASS /, commands.shift)
+ assert_equal("TYPE I\r\n", commands.shift)
+ ftp.getbinaryfile("|echo hello")
+ assert_equal(binary_data, File.binread("./|echo hello"))
+ assert_match(/\A(PORT|EPRT) /, commands.shift)
+ assert_equal("RETR |echo hello\r\n", commands.shift)
+ assert_equal(nil, commands.shift)
+ ensure
+ ftp.close if ftp
+ end
+ end
+ ensure
+ server.close
+ end
+ end
+ end
+
+ def test_gettextfile_command_injection
+ skip "| is not allowed in filename on Windows" if windows?
+ commands = []
+ text_data = <<EOF.gsub(/\n/, "\r\n")
+foo
+bar
+baz
+EOF
+ server = create_ftp_server { |sock|
+ sock.print("220 (test_ftp).\r\n")
+ commands.push(sock.gets)
+ sock.print("331 Please specify the password.\r\n")
+ commands.push(sock.gets)
+ sock.print("230 Login successful.\r\n")
+ commands.push(sock.gets)
+ sock.print("200 Switching to Binary mode.\r\n")
+ commands.push(sock.gets)
+ sock.print("200 Switching to ASCII mode.\r\n")
+ line = sock.gets
+ commands.push(line)
+ host, port = process_port_or_eprt(sock, line)
+ commands.push(sock.gets)
+ sock.print("150 Opening TEXT mode data connection for |echo hello (#{text_data.size} bytes)\r\n")
+ conn = TCPSocket.new(host, port)
+ text_data.each_line do |l|
+ conn.print(l)
+ end
+ conn.shutdown(Socket::SHUT_WR)
+ conn.read
+ conn.close
+ sock.print("226 Transfer complete.\r\n")
+ commands.push(sock.gets)
+ sock.print("200 Switching to Binary mode.\r\n")
+ }
+ begin
+ chdir_to_tmpdir do
+ begin
+ ftp = Net::FTP.new
+ ftp.connect(SERVER_ADDR, server.port)
+ ftp.login
+ assert_match(/\AUSER /, commands.shift)
+ assert_match(/\APASS /, commands.shift)
+ assert_equal("TYPE I\r\n", commands.shift)
+ ftp.gettextfile("|echo hello")
+ assert_equal(text_data.gsub(/\r\n/, "\n"),
+ File.binread("./|echo hello"))
+ assert_equal("TYPE A\r\n", commands.shift)
+ assert_match(/\A(PORT|EPRT) /, commands.shift)
+ assert_equal("RETR |echo hello\r\n", commands.shift)
+ assert_equal("TYPE I\r\n", commands.shift)
+ assert_equal(nil, commands.shift)
+ ensure
+ ftp.close if ftp
+ end
+ end
+ ensure
+ server.close
+ end
+ end
+
+ def test_putbinaryfile_command_injection
+ skip "| is not allowed in filename on Windows" if windows?
+ commands = []
+ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
+ received_data = nil
+ server = create_ftp_server { |sock|
+ sock.print("220 (test_ftp).\r\n")
+ commands.push(sock.gets)
+ sock.print("331 Please specify the password.\r\n")
+ commands.push(sock.gets)
+ sock.print("230 Login successful.\r\n")
+ commands.push(sock.gets)
+ sock.print("200 Switching to Binary mode.\r\n")
+ line = sock.gets
+ commands.push(line)
+ host, port = process_port_or_eprt(sock, line)
+ commands.push(sock.gets)
+ sock.print("150 Opening BINARY mode data connection for |echo hello (#{binary_data.size} bytes)\r\n")
+ conn = TCPSocket.new(host, port)
+ received_data = conn.read
+ conn.close
+ sock.print("226 Transfer complete.\r\n")
+ }
+ begin
+ chdir_to_tmpdir do
+ File.binwrite("./|echo hello", binary_data)
+ begin
+ ftp = Net::FTP.new
+ ftp.read_timeout = 0.2
+ ftp.connect(SERVER_ADDR, server.port)
+ ftp.login
+ assert_match(/\AUSER /, commands.shift)
+ assert_match(/\APASS /, commands.shift)
+ assert_equal("TYPE I\r\n", commands.shift)
+ ftp.putbinaryfile("|echo hello")
+ assert_equal(binary_data, received_data)
+ assert_match(/\A(PORT|EPRT) /, commands.shift)
+ assert_equal("STOR |echo hello\r\n", commands.shift)
+ assert_equal(nil, commands.shift)
+ ensure
+ ftp.close if ftp
+ end
+ end
+ ensure
+ server.close
+ end
+ end
+
+ def test_puttextfile_command_injection
+ skip "| is not allowed in filename on Windows" if windows?
+ commands = []
+ received_data = nil
+ server = create_ftp_server { |sock|
+ sock.print("220 (test_ftp).\r\n")
+ commands.push(sock.gets)
+ sock.print("331 Please specify the password.\r\n")
+ commands.push(sock.gets)
+ sock.print("230 Login successful.\r\n")
+ commands.push(sock.gets)
+ sock.print("200 Switching to Binary mode.\r\n")
+ commands.push(sock.gets)
+ sock.print("200 Switching to ASCII mode.\r\n")
+ line = sock.gets
+ commands.push(line)
+ host, port = process_port_or_eprt(sock, line)
+ commands.push(sock.gets)
+ sock.print("150 Opening TEXT mode data connection for |echo hello\r\n")
+ conn = TCPSocket.new(host, port)
+ received_data = conn.read
+ conn.close
+ sock.print("226 Transfer complete.\r\n")
+ commands.push(sock.gets)
+ sock.print("200 Switching to Binary mode.\r\n")
+ }
+ begin
+ chdir_to_tmpdir do
+ File.open("|echo hello", "w") do |f|
+ f.puts("foo")
+ f.puts("bar")
+ f.puts("baz")
+ end
+ begin
+ ftp = Net::FTP.new
+ ftp.connect(SERVER_ADDR, server.port)
+ ftp.login
+ assert_match(/\AUSER /, commands.shift)
+ assert_match(/\APASS /, commands.shift)
+ assert_equal("TYPE I\r\n", commands.shift)
+ ftp.puttextfile("|echo hello")
+ assert_equal(<<EOF.gsub(/\n/, "\r\n"), received_data)
+foo
+bar
+baz
+EOF
+ assert_equal("TYPE A\r\n", commands.shift)
+ assert_match(/\A(PORT|EPRT) /, commands.shift)
+ assert_equal("STOR |echo hello\r\n", commands.shift)
+ assert_equal("TYPE I\r\n", commands.shift)
+ assert_equal(nil, commands.shift)
+ ensure
+ ftp.close if ftp
+ end
+ end
+ ensure
+ server.close
+ end
+ end
+
private
def create_ftp_server(sleep_time = nil)
end
return server
end
+
+ def chdir_to_tmpdir
+ Dir.mktmpdir do |dir|
+ pwd = Dir.pwd
+ Dir.chdir(dir)
+ begin
+ yield
+ ensure
+ Dir.chdir(pwd)
+ end
+ end
+ end
+
+ def process_port_or_eprt(sock, line)
+ case line
+ when /\APORT (.*)/
+ port_args = $1.split(/,/)
+ host = port_args[0, 4].join(".")
+ port = port_args[4, 2].map(&:to_i).inject {|x, y| (x << 8) + y}
+ sock.print("200 PORT command successful.\r\n")
+ return host, port
+ when /\AEPRT \|2\|(.*?)\|(.*?)\|/
+ host = $1
+ port = $2.to_i
+ sock.print("200 EPRT command successful.\r\n")
+ return host, port
+ else
+ flunk "PORT or EPRT expected"
+ end
+ end
end
module Net
class TestSMTP < Test::Unit::TestCase
class FakeSocket
+ attr_reader :write_io
+
def initialize out = "250 OK\n"
@write_io = StringIO.new
@read_io = StringIO.new out
assert smtp.rset
end
+
+ def test_mailfrom
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.mailfrom("foo@example.com").success?
+ assert_equal "MAIL FROM:<foo@example.com>\r\n", sock.write_io.string
+ end
+
+ def test_rcptto
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.rcptto("foo@example.com").success?
+ assert_equal "RCPT TO:<foo@example.com>\r\n", sock.write_io.string
+ end
+
+ def test_auth_plain
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.auth_plain("foo", "bar").success?
+ assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string
+ end
+
+ def test_crlf_injection
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, FakeSocket.new
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\r\nbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\rbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\nbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.rcptto("foo\r\nbar")
+ end
+ end
end
end
assert_equal(false, asn1.value[3].infinite_length)
end
+ def test_decode_constructed_overread
+ test = %w{ 31 06 31 02 30 02 05 00 }
+ # ^ <- invalid
+ raw = [test.join].pack("H*")
+ ret = []
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ OpenSSL::ASN1.traverse(raw) { |x| ret << x }
+ }
+ assert_equal 2, ret.size
+ assert_equal 17, ret[0][6]
+ assert_equal 17, ret[1][6]
+
+ test = %w{ 31 80 30 03 00 00 }
+ # ^ <- invalid
+ raw = [test.join].pack("H*")
+ ret = []
+ assert_raise(OpenSSL::ASN1::ASN1Error) {
+ OpenSSL::ASN1.traverse(raw) { |x| ret << x }
+ }
+ assert_equal 1, ret.size
+ assert_equal 17, ret[0][6]
+ end
+
private
def assert_universal(tag, asn1)
def test_empty_data
@c1.encrypt
+ @c1.random_key
assert_raise(ArgumentError){ @c1.update("") }
end
}
end
- def test_AES_crush
- 500.times do
- assert_nothing_raised("[Bug #2768]") do
- # it caused OpenSSL SEGV by uninitialized key
- OpenSSL::Cipher::AES128.new("ECB").update "." * 17
- end
+ def test_update_raise_if_key_not_set
+ assert_raise(OpenSSL::Cipher::CipherError) do
+ # it caused OpenSSL SEGV by uninitialized key
+ OpenSSL::Cipher::AES128.new("ECB").update "." * 17
end
end
end
end
+ def test_aes_gcm_key_iv_order_issue
+ pt = "[ruby/openssl#49]"
+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt
+ cipher.key = "x" * 16
+ cipher.iv = "a" * 12
+ ct1 = cipher.update(pt) << cipher.final
+ tag1 = cipher.auth_tag
+
+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt
+ cipher.iv = "a" * 12
+ cipher.key = "x" * 16
+ ct2 = cipher.update(pt) << cipher.final
+ tag2 = cipher.auth_tag
+
+ assert_equal ct1, ct2
+ assert_equal tag1, tag2
+ end if has_cipher?("aes-128-gcm")
+
private
def new_encryptor(algo)
end
def test_spaceship
- n1 = OpenSSL::X509::Name.parse 'CN=a'
- n2 = OpenSSL::X509::Name.parse 'CN=b'
-
- assert_equal(-1, n1 <=> n2)
+ n1 = OpenSSL::X509::Name.new([["CN", "a"]])
+ n2 = OpenSSL::X509::Name.new([["CN", "a"]])
+ n3 = OpenSSL::X509::Name.new([["CN", "ab"]])
+
+ assert_equal 0, n1 <=> n2
+ assert_equal -1, n1 <=> n3
+ assert_equal 0, n2 <=> n1
+ assert_equal -1, n2 <=> n3
+ assert_equal 1, n3 <=> n1
+ assert_equal 1, n3 <=> n2
end
def name_hash(name)
def test_permutation_stack_error
bug9932 = '[ruby-core:63103] [Bug #9932]'
- assert_separately([], <<-"end;") # do
+ # On some platforms (armel, mips), permutation is very expensive/slow.
+ assert_separately([], <<-"end;", timeout: 60) # do
assert_nothing_raised(SystemStackError, "#{bug9932}") do
assert_equal(:ok, Array.new(100_000, nil).permutation {break :ok})
end
open(File.join(@root, "}}a"), "wb") {}
assert_equal(%w(}}{} }}a).map {|f| File.join(@root, f)}, Dir.glob(File.join(@root, '}}{\{\},a}')))
assert_equal(%w(}}{} }}a b c).map {|f| File.join(@root, f)}, Dir.glob(File.join(@root, '{\}\}{\{\},a},b,c}')))
+ assert_raise(ArgumentError) {
+ Dir.glob([[@root, File.join(@root, "*")].join("\0")])
+ }
end
def test_glob_recursive
def test_entries
assert_entries(Dir.open(@root) {|dir| dir.entries})
+ assert_raise(ArgumentError) {Dir.entries(@root+"\0")}
end
def test_foreach
assert_entries(Dir.foreach(@root).to_a)
+ assert_raise(ArgumentError) {Dir.foreach(@root+"\0").to_a}
end
def test_dir_enc
user = ENV['USER']
skip "ENV['USER'] is not set" unless user
assert_equal(ENV['HOME'], File.expand_path("~#{user}"))
- end unless DRIVE
+ end if false # does not work in sbuild/buildd environments
def test_expand_path_error_for_nonexistent_username
user = "\u{3086 3046 3066 3044}:\u{307F 3084 304A 3046}"
assert_in_out_err([env, "-w", "-e", "exit"], "", [], /RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR=0\.9/, "")
# always full GC when RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR < 1.0
- assert_in_out_err([env, "-e", "1000_000.times{Object.new}; p(GC.stat[:minor_gc_count] < GC.stat[:major_gc_count])"], "", ['true'], //, "") if use_rgengc?
+ assert_in_out_err([env, "-e", "1000_000.times{Object.new}; p(GC.stat[:minor_gc_count] < GC.stat[:major_gc_count])"], "", ['true'], //, "", timeout: 30) if use_rgengc?
# check obsolete
assert_in_out_err([{'RUBY_FREE_MIN' => '100'}, '-w', '-eexit'], '', [],
assert_equal([1, 2], "\x01\x00\x00\x02".unpack("C@3C"))
assert_equal([nil], "\x00".unpack("@1C")) # is it OK?
assert_raise(ArgumentError) { "\x00".unpack("@2C") }
+
+ pos = (1 << [nil].pack("p").bytesize * 8) - 100 # -100
+ assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")}
end
def test_pack_unpack_percent
assert_raise_with_message(ArgumentError, /too few/) {ary.pack("AA")}
end;
end
+
+ def test_unpack_with_block
+ ret = []; "ABCD".unpack("CCCC") {|v| ret << v }
+ assert_equal [65, 66, 67, 68], ret
+ ret = []; "A".unpack("B*") {|v| ret << v }
+ assert_equal ["01000001"], ret
+ end
+
+ def test_pack_infection
+ tainted_array_string = ["123456"]
+ tainted_array_string.first.taint
+ ['a', 'A', 'Z', 'B', 'b', 'H', 'h', 'u', 'M', 'm', 'P', 'p'].each do |f|
+ assert_predicate(tainted_array_string.pack(f), :tainted?)
+ end
+ end
+
+ def test_unpack_infection
+ tainted_string = "123456"
+ tainted_string.taint
+ ['a', 'A', 'Z', 'B', 'b', 'H', 'h', 'u', 'M', 'm'].each do |f|
+ assert_predicate(tainted_string.unpack(f).first, :tainted?)
+ end
+ end
end
assert_equal("NaN", sprintf("%-f", nan))
assert_equal("+NaN", sprintf("%+f", nan))
+ assert_equal("NaN", sprintf("%3f", nan))
+ assert_equal("NaN", sprintf("%-3f", nan))
+ assert_equal("+NaN", sprintf("%+3f", nan))
+
+ assert_equal(" NaN", sprintf("% 3f", nan))
+ assert_equal(" NaN", sprintf("%- 3f", nan))
+ assert_equal("+NaN", sprintf("%+ 3f", nan))
+
+ assert_equal(" NaN", sprintf("% 03f", nan))
+ assert_equal(" NaN", sprintf("%- 03f", nan))
+ assert_equal("+NaN", sprintf("%+ 03f", nan))
+
assert_equal(" NaN", sprintf("%8f", nan))
assert_equal("NaN ", sprintf("%-8f", nan))
assert_equal(" +NaN", sprintf("%+8f", nan))
assert_equal("Inf", sprintf("%-f", inf))
assert_equal("+Inf", sprintf("%+f", inf))
+ assert_equal(" Inf", sprintf("% f", inf))
+ assert_equal(" Inf", sprintf("%- f", inf))
+ assert_equal("+Inf", sprintf("%+ f", inf))
+
+ assert_equal(" Inf", sprintf("% 0f", inf))
+ assert_equal(" Inf", sprintf("%- 0f", inf))
+ assert_equal("+Inf", sprintf("%+ 0f", inf))
+
+ assert_equal("Inf", sprintf("%3f", inf))
+ assert_equal("Inf", sprintf("%-3f", inf))
+ assert_equal("+Inf", sprintf("%+3f", inf))
+
+ assert_equal(" Inf", sprintf("% 3f", inf))
+ assert_equal(" Inf", sprintf("%- 3f", inf))
+ assert_equal("+Inf", sprintf("%+ 3f", inf))
+
+ assert_equal(" Inf", sprintf("% 03f", inf))
+ assert_equal(" Inf", sprintf("%- 03f", inf))
+ assert_equal("+Inf", sprintf("%+ 03f", inf))
+
assert_equal(" Inf", sprintf("%8f", inf))
assert_equal("Inf ", sprintf("%-8f", inf))
assert_equal(" +Inf", sprintf("%+8f", inf))
assert_equal("-Inf", sprintf("%-f", -inf))
assert_equal("-Inf", sprintf("%+f", -inf))
+ assert_equal("-Inf", sprintf("% f", -inf))
+ assert_equal("-Inf", sprintf("%- f", -inf))
+ assert_equal("-Inf", sprintf("%+ f", -inf))
+
+ assert_equal("-Inf", sprintf("% 0f", -inf))
+ assert_equal("-Inf", sprintf("%- 0f", -inf))
+ assert_equal("-Inf", sprintf("%+ 0f", -inf))
+
+ assert_equal("-Inf", sprintf("%4f", -inf))
+ assert_equal("-Inf", sprintf("%-4f", -inf))
+ assert_equal("-Inf", sprintf("%+4f", -inf))
+
+ assert_equal("-Inf", sprintf("% 4f", -inf))
+ assert_equal("-Inf", sprintf("%- 4f", -inf))
+ assert_equal("-Inf", sprintf("%+ 4f", -inf))
+
+ assert_equal("-Inf", sprintf("% 04f", -inf))
+ assert_equal("-Inf", sprintf("%- 04f", -inf))
+ assert_equal("-Inf", sprintf("%+ 04f", -inf))
+
assert_equal(" -Inf", sprintf("%8f", -inf))
assert_equal("-Inf ", sprintf("%-8f", -inf))
assert_equal(" -Inf", sprintf("%+8f", -inf))
has_right_tz &&= have_tz_offset?("right/America/Los_Angeles")
has_lisbon_tz &&= have_tz_offset?("Europe/Lisbon")
+ CORRECT_TOKYO_DST_1951 = with_tz("Asia/Tokyo") {
+ if Time.local(1951, 5, 6, 12, 0, 0).dst? # noon, DST
+ Time.local(1951, 5, 6, 1, 0, 0).dst? # DST with fixed tzdata
+ end
+ }
def time_to_s(t)
t.to_s
def test_asia_tokyo
with_tz(tz="Asia/Tokyo") {
- assert_time_constructor(tz, "1951-05-06 03:00:00 +1000", :local, [1951,5,6,2,0,0])
- assert_time_constructor(tz, "1951-05-06 03:59:59 +1000", :local, [1951,5,6,2,59,59])
+ h = CORRECT_TOKYO_DST_1951 ? 0 : 2
+ assert_time_constructor(tz, "1951-05-06 0#{h+1}:00:00 +1000", :local, [1951,5,6,h,0,0])
+ assert_time_constructor(tz, "1951-05-06 0#{h+1}:59:59 +1000", :local, [1951,5,6,h,59,59])
assert_time_constructor(tz, "2010-06-10 06:13:28 +0900", :local, [2010,6,10,6,13,28])
}
end
Asia/Singapore Sun Aug 8 16:30:00 1965 UTC = Mon Aug 9 00:00:00 1965 SGT isdst=0 gmtoff=27000
Asia/Singapore Thu Dec 31 16:29:59 1981 UTC = Thu Dec 31 23:59:59 1981 SGT isdst=0 gmtoff=27000
Asia/Singapore Thu Dec 31 16:30:00 1981 UTC = Fri Jan 1 00:30:00 1982 SGT isdst=0 gmtoff=28800
+End
+ gen_zdump_test CORRECT_TOKYO_DST_1951 ? <<'End' : <<'End'
+Asia/Tokyo Sat May 5 14:59:59 1951 UTC = Sat May 5 23:59:59 1951 JST isdst=0 gmtoff=32400
+Asia/Tokyo Sat May 5 15:00:00 1951 UTC = Sun May 6 01:00:00 1951 JDT isdst=1 gmtoff=36000
+Asia/Tokyo Sat Sep 8 13:59:59 1951 UTC = Sat Sep 8 23:59:59 1951 JDT isdst=1 gmtoff=36000
+Asia/Tokyo Sat Sep 8 14:00:00 1951 UTC = Sat Sep 8 23:00:00 1951 JST isdst=0 gmtoff=32400
+End
Asia/Tokyo Sat May 5 16:59:59 1951 UTC = Sun May 6 01:59:59 1951 JST isdst=0 gmtoff=32400
Asia/Tokyo Sat May 5 17:00:00 1951 UTC = Sun May 6 03:00:00 1951 JDT isdst=1 gmtoff=36000
Asia/Tokyo Fri Sep 7 15:59:59 1951 UTC = Sat Sep 8 01:59:59 1951 JDT isdst=1 gmtoff=36000
Asia/Tokyo Fri Sep 7 16:00:00 1951 UTC = Sat Sep 8 01:00:00 1951 JST isdst=0 gmtoff=32400
+End
+ gen_zdump_test <<'End'
America/St_Johns Sun Mar 11 03:30:59 2007 UTC = Sun Mar 11 00:00:59 2007 NST isdst=0 gmtoff=-12600
America/St_Johns Sun Mar 11 03:31:00 2007 UTC = Sun Mar 11 01:01:00 2007 NDT isdst=1 gmtoff=-9000
America/St_Johns Sun Nov 4 02:30:59 2007 UTC = Sun Nov 4 00:00:59 2007 NDT isdst=1 gmtoff=-9000
assert_match %r{- user2@example.com}, @ui.output
end
+ def test_show_owners_dont_load_objects
+ skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
+
+ response = <<EOF
+---
+- email: !ruby/object:Object {}
+ id: 1
+ handle: user1
+- email: user2@example.com
+- id: 3
+ handle: user3
+- id: 4
+EOF
+
+ @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
+
+ assert_raises Psych::DisallowedClass do
+ use_ui @ui do
+ @cmd.show_owners("freewill")
+ end
+ end
+
+ end
+
+
def test_show_owners_setting_up_host_through_env_var
response = "- email: user1@example.com\n"
host = "http://rubygems.example"
This is a lot of text. This is a lot of text. This is a lot of text.
This is a lot of text.
+pl (1)
+ Platform: i386-linux
+ Author: A User
+ Homepage: http://example.com
+
+ this is a summary
+ EOF
+
+ assert_equal expected, @ui.output
+ assert_equal '', @ui.error
+ end
+
+ def test_execute_details_cleans_text
+ spec_fetcher do |fetcher|
+ fetcher.spec 'a', 2 do |s|
+ s.summary = 'This is a lot of text. ' * 4
+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
+ s.homepage = "http://a.example.com/\x03"
+ end
+
+ fetcher.legacy_platform
+ end
+
+ @cmd.handle_options %w[-r -d]
+
+ use_ui @ui do
+ @cmd.execute
+ end
+
+ expected = <<-EOF
+
+*** REMOTE GEMS ***
+
+a (2)
+ Authors: Abraham Lincoln ., . Hirohito
+ Homepage: http://a.example.com/.
+
+ This is a lot of text. This is a lot of text. This is a lot of text.
+ This is a lot of text.
+
+pl (1)
+ Platform: i386-linux
+ Author: A User
+ Homepage: http://example.com
+
+ this is a summary
+ EOF
+
+ assert_equal expected, @ui.output
+ assert_equal '', @ui.error
+ end
+
+ def test_execute_details_truncates_summary
+ spec_fetcher do |fetcher|
+ fetcher.spec 'a', 2 do |s|
+ s.summary = 'This is a lot of text. ' * 10_000
+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
+ s.homepage = "http://a.example.com/\x03"
+ end
+
+ fetcher.legacy_platform
+ end
+
+ @cmd.handle_options %w[-r -d]
+
+ use_ui @ui do
+ @cmd.execute
+ end
+
+ expected = <<-EOF
+
+*** REMOTE GEMS ***
+
+a (2)
+ Authors: Abraham Lincoln ., . Hirohito
+ Homepage: http://a.example.com/.
+
+ Truncating the summary for a-2 to 100,000 characters:
+#{" This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449} This is a lot of te
+
pl (1)
Platform: i386-linux
Author: A User
end
end
+ def test_pre_install_checks_malicious_name
+ spec = util_spec '../malicious', '1'
+ def spec.full_name # so the spec is buildable
+ "malicious-1"
+ end
+ def spec.validate; end
+
+ util_build_gem spec
+
+ gem = File.join(@gemhome, 'cache', spec.file_name)
+
+ use_ui @ui do
+ @installer = Gem::Installer.at gem
+ e = assert_raises Gem::InstallError do
+ @installer.pre_install_checks
+ end
+ assert_equal '#<Gem::Specification name=../malicious version=1> has an invalid name', e.message
+ end
+ end
+
def test_shebang
util_make_exec @spec, "#!/usr/bin/ruby"
File.read(extracted)
end
+ def test_extract_symlink_parent
+ skip 'symlink not supported' if Gem.win_platform?
+
+ package = Gem::Package.new @gem
+
+ tgz_io = util_tar_gz do |tar|
+ tar.mkdir 'lib', 0755
+ tar.add_symlink 'lib/link', '../..', 0644
+ tar.add_file 'lib/link/outside.txt', 0644 do |io| io.write 'hi' end
+ end
+
+ # Extract into a subdirectory of @destination; if this test fails it writes
+ # a file outside destination_subdir, but we want the file to remain inside
+ # @destination so it will be cleaned up.
+ destination_subdir = File.join @destination, 'subdir'
+ FileUtils.mkdir_p destination_subdir
+
+ e = assert_raises Gem::Package::PathError do
+ package.extract_tar_gz tgz_io, destination_subdir
+ end
+
+ assert_equal("installing into parent path lib/link/outside.txt of " +
+ "#{destination_subdir} is not allowed", e.message)
+ end
+
def test_extract_tar_gz_directory
package = Gem::Package.new @gem
"#{@destination} is not allowed", e.message)
end
+ def test_install_location_suffix
+ package = Gem::Package.new @gem
+
+ filename = "../#{File.basename(@destination)}suffix.rb"
+
+ e = assert_raises Gem::Package::PathError do
+ package.install_location filename, @destination
+ end
+
+ parent = File.expand_path File.join @destination, filename
+
+ assert_equal("installing into parent path #{parent} of " +
+ "#{@destination} is not allowed", e.message)
+ end
+
def test_load_spec
entry = StringIO.new Gem.gzip @spec.to_yaml
def entry.full_name() 'metadata.gz' end
assert_match %r%nonexistent.gem$%, e.message
end
+ def test_verify_duplicate_file
+ FileUtils.mkdir_p 'lib'
+ FileUtils.touch 'lib/code.rb'
+
+ build = Gem::Package.new @gem
+ build.spec = @spec
+ build.setup_signer
+ open @gem, 'wb' do |gem_io|
+ Gem::Package::TarWriter.new gem_io do |gem|
+ build.add_metadata gem
+ build.add_contents gem
+
+ gem.add_file_simple 'a.sig', 0444, 0
+ gem.add_file_simple 'a.sig', 0444, 0
+ end
+ end
+
+ package = Gem::Package.new @gem
+
+ e = assert_raises Gem::Security::Exception do
+ package.verify
+ end
+
+ assert_equal 'duplicate files in the package: ("a.sig")', e.message
+ end
+
def test_verify_security_policy
skip 'openssl is missing' unless defined?(OpenSSL::SSL)
# write bogus data.tar.gz to foil signature
bogus_data = Gem.gzip 'hello'
- gem.add_file_simple 'data.tar.gz', 0444, bogus_data.length do |io|
+ fake_signer = Class.new do
+ def digest_name; 'SHA512'; end
+ def digest_algorithm; Digest(:SHA512); end
+ def key; 'key'; end
+ def sign(*); 'fake_sig'; end
+ end
+ gem.add_file_signed 'data2.tar.gz', 0444, fake_signer.new do |io|
io.write bogus_data
end
assert_equal '012467', @tar_header.checksum
end
+ def test_from_bad_octal
+ test_cases = [
+ "00000006,44\000", # bogus character
+ "00000006789\000", # non-octal digit
+ "+0000001234\000", # positive sign
+ "-0000001000\000", # negative sign
+ "0x000123abc\000", # radix prefix
+ ]
+
+ test_cases.each do |val|
+ header_s = @tar_header.to_s
+ # overwrite the size field
+ header_s[124, 12] = val
+ io = TempIO.new header_s
+ assert_raises ArgumentError do
+ new_header = Gem::Package::TarHeader.from io
+ end
+ io.close! if io.respond_to? :close!
+ end
+ end
+
end
dns.verify
end
+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path
+ uri = URI.parse "http://example.com/foo"
+ target = MiniTest::Mock.new
+ target.expect :target, "evil.com/a.example.com"
+
+ dns = MiniTest::Mock.new
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns
+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+
+ target.verify
+ dns.verify
+ end
+
def test_api_endpoint_timeout_warning
uri = URI.parse "http://gems.example.com/foo"
assert_match 'z 9', @res.body
end
+
+ def test_xss_homepage_fix_289313
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+ dir = "#{@gemhome}2"
+
+ spec = util_spec 'xsshomepagegem', 1
+ spec.homepage = "javascript:confirm(document.domain)"
+
+ specs_dir = File.join dir, 'specifications'
+ FileUtils.mkdir_p specs_dir
+
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
+ io.write spec.to_ruby
+ end
+
+ server = Gem::Server.new dir, process_based_port, false
+
+ @req.parse data
+
+ server.root @req, @res
+
+ assert_equal 200, @res.status
+ assert_match 'xsshomepagegem 1', @res.body
+
+ # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a
+ # valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here,
+ # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be
+ # validated in future versions of Gem::Specification.
+ #
+ # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
+ #
+ # Variant #1 - rdoc not installed
+ #
+ # <b>xsshomepagegem 1</b>
+ #
+ #
+ # <span title="rdoc not installed">[rdoc]</span>
+ #
+ #
+ #
+ # <a href="." title=".">[www]</a>
+ #
+ # Variant #2 - rdoc installed
+ #
+ # <b>xsshomepagegem 1</b>
+ #
+ #
+ # <a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>
+ #
+ #
+ #
+ # <a href="." title=".">[www]</a>
+ regex_match = /xsshomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
+ assert_match regex_match, @res.body
+ end
+
+ def test_invalid_homepage
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+ dir = "#{@gemhome}2"
+
+ spec = util_spec 'invalidhomepagegem', 1
+ spec.homepage = "notavalidhomepageurl"
+
+ specs_dir = File.join dir, 'specifications'
+ FileUtils.mkdir_p specs_dir
+
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
+ io.write spec.to_ruby
+ end
+
+ server = Gem::Server.new dir, process_based_port, false
+
+ @req.parse data
+
+ server.root @req, @res
+
+ assert_equal 200, @res.status
+ assert_match 'invalidhomepagegem 1', @res.body
+
+ # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a
+ # valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here,
+ # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be
+ # validated in future versions of Gem::Specification.
+ #
+ # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
+ #
+ # Variant #1 - rdoc not installed
+ #
+ # <b>invalidhomepagegem 1</b>
+ #
+ #
+ # <span title="rdoc not installed">[rdoc]</span>
+ #
+ #
+ #
+ # <a href="." title=".">[www]</a>
+ #
+ # Variant #2 - rdoc installed
+ #
+ # <b>invalidhomepagegem 1</b>
+ #
+ #
+ # <a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>
+ #
+ #
+ #
+ # <a href="." title=".">[www]</a>
+ regex_match = /invalidhomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
+ assert_match regex_match, @res.body
+ end
+
+ def test_valid_homepage_http
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+ dir = "#{@gemhome}2"
+
+ spec = util_spec 'validhomepagegemhttp', 1
+ spec.homepage = "http://rubygems.org"
+
+ specs_dir = File.join dir, 'specifications'
+ FileUtils.mkdir_p specs_dir
+
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
+ io.write spec.to_ruby
+ end
+
+ server = Gem::Server.new dir, process_based_port, false
+
+ @req.parse data
+
+ server.root @req, @res
+
+ assert_equal 200, @res.status
+ assert_match 'validhomepagegemhttp 1', @res.body
+
+ regex_match = /validhomepagegemhttp 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttp-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="http:\/\/rubygems\.org" title="http:\/\/rubygems\.org">\[www\]<\/a>/
+ assert_match regex_match, @res.body
+ end
+
+ def test_valid_homepage_https
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+ dir = "#{@gemhome}2"
+
+ spec = util_spec 'validhomepagegemhttps', 1
+ spec.homepage = "https://rubygems.org"
+
+ specs_dir = File.join dir, 'specifications'
+ FileUtils.mkdir_p specs_dir
+
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
+ io.write spec.to_ruby
+ end
+
+ server = Gem::Server.new dir, process_based_port, false
+
+ @req.parse data
+
+ server.root @req, @res
+
+ assert_equal 200, @res.status
+ assert_match 'validhomepagegemhttps 1', @res.body
+
+ regex_match = /validhomepagegemhttps 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttps-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="https:\/\/rubygems\.org" title="https:\/\/rubygems\.org">\[www\]<\/a>/
+ assert_match regex_match, @res.body
+ end
+
def test_specs
data = StringIO.new "GET /specs.#{Gem.marshal_version} HTTP/1.0\r\n\r\n"
@req.parse data
@a1.validate
end
- assert_equal '"over at my cool site" is not a URI', e.message
+ assert_equal '"over at my cool site" is not a valid HTTP URI', e.message
+
+ @a1.homepage = 'ftp://rubygems.org'
+
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+
+ assert_equal '"ftp://rubygems.org" is not a valid HTTP URI', e.message
+
+ @a1.homepage = 'http://rubygems.org'
+ assert_equal true, @a1.validate
+
+ @a1.homepage = 'https://rubygems.org'
+ assert_equal true, @a1.validate
+
end
end
@a1.validate
end
- assert_equal 'invalid value for attribute name: ":json"', e.message
+ assert_equal 'invalid value for attribute name: ":json" must be a string', e.message
+
+ @a1.name = []
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message
+
+ @a1.name = ""
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message
+
+ @a1.name = "12345"
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message
+
+ @a1.name = "../malicious"
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message
+
+ @a1.name = "\ba\t"
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message
end
def test_validate_non_nil
assert_equal expected, format_text(text, 78)
end
+ def test_format_removes_nonprintable_characters
+ assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40)
+ end
+
def test_min3
assert_equal 1, min3(1, 1, 1)
assert_equal 1, min3(1, 1, 2)
assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest")
assert_equal 7, levenshtein_distance("zentest", "xxxxxxx")
end
+
+ def test_truncate_text
+ assert_equal "abc", truncate_text("abc", "desc")
+ assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2)
+ s = "ab" * 500_001
+ assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
+ end
end
File.unlink path if path && File.socket?(path)
end
+ def test_open_nul_byte
+ tmpfile = Tempfile.new("s")
+ path = tmpfile.path
+ tmpfile.close(true)
+ assert_raise(ArgumentError) {UNIXServer.open(path+"\0")}
+ assert_raise(ArgumentError) {UNIXSocket.open(path+"\0")}
+ ensure
+ File.unlink path if path && File.socket?(path)
+ end
+
def test_addr
bound_unix_socket(UNIXServer) {|serv, path|
UNIXSocket.open(path) {|c|
f.close if f && !f.closed?
File.unlink path if path
end
-end
+ TRAVERSAL_PATH = Array.new(Dir.pwd.split('/').count, '..').join('/') + Dir.pwd + '/'
+
+ def test_open_traversal_dir
+ expect = Dir.glob(TRAVERSAL_PATH + '*').count
+ t = Tempfile.open([TRAVERSAL_PATH, 'foo'])
+ actual = Dir.glob(TRAVERSAL_PATH + '*').count
+ assert_equal expect, actual
+ ensure
+ t.close!
+ end
+
+ def test_new_traversal_dir
+ expect = Dir.glob(TRAVERSAL_PATH + '*').count
+ t = Tempfile.new(TRAVERSAL_PATH + 'foo')
+ actual = Dir.glob(TRAVERSAL_PATH + '*').count
+ assert_equal expect, actual
+ ensure
+ t.close!
+ end
+
+ def test_create_traversal_dir
+ expect = Dir.glob(TRAVERSAL_PATH + '*').count
+ Tempfile.create(TRAVERSAL_PATH + 'foo')
+ actual = Dir.glob(TRAVERSAL_PATH + '*').count
+ assert_equal expect, actual
+ end
+end
assert_kind_of(String, d)
}
end
+
+ TRAVERSAL_PATH = Array.new(Dir.pwd.split('/').count, '..').join('/') + Dir.pwd + '/'
+ TRAVERSAL_PATH.delete!(':') if /mswin|mingw/ =~ RUBY_PLATFORM
+
+ def test_mktmpdir_traversal
+ expect = Dir.glob(TRAVERSAL_PATH + '*').count
+ Dir.mktmpdir(TRAVERSAL_PATH + 'foo')
+ actual = Dir.glob(TRAVERSAL_PATH + '*').count
+ assert_equal expect, actual
+ end
+
+ def test_mktmpdir_traversal_array
+ expect = Dir.glob(TRAVERSAL_PATH + '*').count
+ Dir.mktmpdir([TRAVERSAL_PATH, 'foo'])
+ actual = Dir.glob(TRAVERSAL_PATH + '*').count
+ assert_equal expect, actual
+ end
end
end
def get_res_body(res)
- body = res.body
- if defined? body.read
- begin
- body.read
- ensure
- body.close
- end
- else
- body
- end
+ sio = StringIO.new
+ sio.binmode
+ res.send_body(sio)
+ sio.string
end
def make_range_request(range_spec)
res = make_range_response(filename, "bytes=0-0, -2")
assert_match(%r{^multipart/byteranges}, res["content-type"])
+ body = get_res_body(res)
+ boundary = /; boundary=(.+)/.match(res['content-type'])[1]
+ off = filesize - 2
+ last = filesize - 1
+
+ exp = "--#{boundary}\r\n" \
+ "Content-Type: text/plain\r\n" \
+ "Content-Range: bytes 0-0/#{filesize}\r\n" \
+ "\r\n" \
+ "#{IO.read(__FILE__, 1)}\r\n" \
+ "--#{boundary}\r\n" \
+ "Content-Type: text/plain\r\n" \
+ "Content-Range: bytes #{off}-#{last}/#{filesize}\r\n" \
+ "\r\n" \
+ "#{IO.read(__FILE__, 2, off)}\r\n" \
+ "--#{boundary}--\r\n"
+ assert_equal exp, body
end
def test_filehandler
require "tempfile"
require "webrick"
require "webrick/httpauth/basicauth"
+require "stringio"
require_relative "utils"
class TestWEBrickHTTPAuth < Test::Unit::TestCase
}
end
+ def test_bad_username_with_control_characters
+ log_tester = lambda {|log, access_log|
+ assert_equal(2, log.length)
+ assert_match(/ERROR Basic WEBrick's realm: foo\\ebar: the user is not allowed./, log[0])
+ assert_match(/ERROR WEBrick::HTTPStatus::Unauthorized/, log[1])
+ }
+ TestWEBrick.start_httpserver({}, log_tester) {|server, addr, port, log|
+ realm = "WEBrick's realm"
+ path = "/basic_auth"
+
+ Tempfile.create("test_webrick_auth") {|tmpfile|
+ tmpfile.close
+ tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+ tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
+ tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
+ tmp_pass.flush
+
+ htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+ users = []
+ htpasswd.each{|user, pass| users << user }
+ server.mount_proc(path){|req, res|
+ auth = WEBrick::HTTPAuth::BasicAuth.new(
+ :Realm => realm, :UserDB => htpasswd,
+ :Logger => server.logger
+ )
+ auth.authenticate(req, res)
+ res.body = "hoge"
+ }
+ http = Net::HTTP.new(addr, port)
+ g = Net::HTTP::Get.new(path)
+ g.basic_auth("foo\ebar", "passwd")
+ http.request(g){|res| assert_not_equal("hoge", res.body, log.call) }
+ }
+ }
+ end
+
DIGESTRES_ = /
([a-zA-Z\-]+)
[ \t]*(?:\r\n[ \t]*)*
}
end
+ def test_digest_auth_int
+ log_tester = lambda {|log, access_log|
+ log.reject! {|line| /\A\s*\z/ =~ line }
+ pats = [
+ /ERROR Digest wb auth-int realm: no credentials in the request\./,
+ /ERROR WEBrick::HTTPStatus::Unauthorized/,
+ /ERROR Digest wb auth-int realm: foo: digest unmatch\./
+ ]
+ pats.each {|pat|
+ assert(!log.grep(pat).empty?, "webrick log doesn't have expected error: #{pat.inspect}")
+ log.reject! {|line| pat =~ line }
+ }
+ assert_equal([], log)
+ }
+ TestWEBrick.start_httpserver({}, log_tester) {|server, addr, port, log|
+ realm = "wb auth-int realm"
+ path = "/digest_auth_int"
+
+ Tempfile.create("test_webrick_auth_int") {|tmpfile|
+ tmpfile.close
+ tmp_pass = WEBrick::HTTPAuth::Htdigest.new(tmpfile.path)
+ tmp_pass.set_passwd(realm, "foo", "Hunter2")
+ tmp_pass.flush
+
+ htdigest = WEBrick::HTTPAuth::Htdigest.new(tmpfile.path)
+ users = []
+ htdigest.each{|user, pass| users << user }
+ assert_equal %w(foo), users
+
+ auth = WEBrick::HTTPAuth::DigestAuth.new(
+ :Realm => realm, :UserDB => htdigest,
+ :Algorithm => 'MD5',
+ :Logger => server.logger,
+ :Qop => %w(auth-int),
+ )
+ server.mount_proc(path){|req, res|
+ auth.authenticate(req, res)
+ res.body = "bbb"
+ }
+ Net::HTTP.start(addr, port) do |http|
+ post = Net::HTTP::Post.new(path)
+ params = {}
+ data = 'hello=world'
+ body = StringIO.new(data)
+ post.content_length = data.bytesize
+ post['Content-Type'] = 'application/x-www-form-urlencoded'
+ post.body_stream = body
+
+ http.request(post) do |res|
+ assert_equal('401', res.code, log.call)
+ res["www-authenticate"].scan(DIGESTRES_) do |key, quoted, token|
+ params[key.downcase] = token || quoted.delete('\\')
+ end
+ params['uri'] = "http://#{addr}:#{port}#{path}"
+ end
+
+ body.rewind
+ cred = credentials_for_request('foo', 'Hunter3', params, body)
+ post['Authorization'] = cred
+ post.body_stream = body
+ http.request(post){|res|
+ assert_equal('401', res.code, log.call)
+ assert_not_equal("bbb", res.body, log.call)
+ }
+
+ body.rewind
+ cred = credentials_for_request('foo', 'Hunter2', params, body)
+ post['Authorization'] = cred
+ post.body_stream = body
+ http.request(post){|res| assert_equal("bbb", res.body, log.call)}
+ end
+ }
+ }
+ end
+
private
- def credentials_for_request(user, password, params)
+ def credentials_for_request(user, password, params, body = nil)
cnonce = "hoge"
nonce_count = 1
ha1 = "#{user}:#{params['realm']}:#{password}"
- ha2 = "GET:#{params['uri']}"
+ if body
+ dig = Digest::MD5.new
+ while buf = body.read(16384)
+ dig.update(buf)
+ end
+ body.rewind
+ ha2 = "POST:#{params['uri']}:#{dig.hexdigest}"
+ else
+ ha2 = "GET:#{params['uri']}"
+ end
+
request_digest =
"#{Digest::MD5.hexdigest(ha1)}:" \
"#{params['nonce']}:#{'%08x' % nonce_count}:#{cnonce}:#{params['qop']}:" \
require "webrick"
require "minitest/autorun"
require "stringio"
+require "net/http"
module WEBrick
class TestHTTPResponse < MiniTest::Unit::TestCase
@res.keep_alive = true
end
+ def test_prevent_response_splitting_headers
+ res['X-header'] = "malicious\r\nCookie: hack"
+ io = StringIO.new
+ res.send_response io
+ io.rewind
+ res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+ assert_equal '500', res.code
+ refute_match 'hack', io.string
+ end
+
+ def test_prevent_response_splitting_cookie_headers
+ user_input = "malicious\r\nCookie: hack"
+ res.cookies << WEBrick::Cookie.new('author', user_input)
+ io = StringIO.new
+ res.send_response io
+ io.rewind
+ res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+ assert_equal '500', res.code
+ refute_match 'hack', io.string
+ end
+
def test_304_does_not_log_warning
res.status = 304
res.setup_header
}
assert_equal 0, logger.messages.length
end
+
+ def test_send_body_proc
+ @res.body = Proc.new { |out| out.write('hello') }
+ IO.pipe do |r, w|
+ @res.send_body(w)
+ w.close
+ r.binmode
+ assert_equal 'hello', r.read
+ end
+ assert_equal 0, logger.messages.length
+ end
+
+ def test_send_body_proc_chunked
+ @res.body = Proc.new { |out| out.write('hello') }
+ @res.chunked = true
+ IO.pipe do |r, w|
+ @res.send_body(w)
+ w.close
+ r.binmode
+ assert_equal "5\r\nhello\r\n0\r\n\r\n", r.read
+ end
+ assert_equal 0, logger.messages.length
+ end
+
+ def test_set_error
+ status = 400
+ message = 'missing attribute'
+ @res.status = status
+ error = WEBrick::HTTPStatus[status].new(message)
+ body = @res.set_error(error)
+ assert_match(/#{@res.reason_phrase}/, body)
+ assert_match(/#{message}/, body)
+ end
end
end
}
assert_equal(0, requested, "Server responded to #{requested} requests after shutdown")
end
+
+ def test_cntrl_in_path
+ log_ary = []
+ access_log_ary = []
+ config = {
+ :Port => 0,
+ :BindAddress => '127.0.0.1',
+ :Logger => WEBrick::Log.new(log_ary, WEBrick::BasicLog::WARN),
+ :AccessLog => [[access_log_ary, '']],
+ }
+ s = WEBrick::HTTPServer.new(config)
+ s.mount('/foo', WEBrick::HTTPServlet::FileHandler, __FILE__)
+ th = Thread.new { s.start }
+ addr = s.listeners[0].addr
+
+ http = Net::HTTP.new(addr[3], addr[1])
+ req = Net::HTTP::Get.new('/notexist%0a/foo')
+ http.request(req) { |res| assert_equal('404', res.code) }
+ exp = %Q(ERROR `/notexist\\n/foo' not found.\n)
+ assert_equal 1, log_ary.size
+ assert log_ary[0].include?(exp)
+ ensure
+ s&.shutdown
+ th&.join
+ end
+
+ def test_gigantic_request_header
+ log_tester = lambda {|log, access_log|
+ assert_equal 1, log.size
+ assert log[0].include?('ERROR headers too large')
+ }
+ TestWEBrick.start_httpserver({}, log_tester){|server, addr, port, log|
+ server.mount('/', WEBrick::HTTPServlet::FileHandler, __FILE__)
+ TCPSocket.open(addr, port) do |c|
+ c.write("GET / HTTP/1.0\r\n")
+ junk = -"X-Junk: #{' ' * 1024}\r\n"
+ assert_raise(Errno::ECONNRESET, Errno::EPIPE) do
+ loop { c.write(junk) }
+ end
+ end
+ }
+ end
+
+ def test_eof_in_chunk
+ log_tester = lambda do |log, access_log|
+ assert_equal 1, log.size
+ assert log[0].include?('ERROR bad chunk data size')
+ end
+ TestWEBrick.start_httpserver({}, log_tester){|server, addr, port, log|
+ server.mount_proc('/', ->(req, res) { res.body = req.body })
+ TCPSocket.open(addr, port) do |c|
+ c.write("POST / HTTP/1.1\r\nHost: example.com\r\n" \
+ "Transfer-Encoding: chunked\r\n\r\n5\r\na")
+ c.shutdown(Socket::SHUT_WR) # trigger EOF in server
+ res = c.read
+ assert_match %r{\AHTTP/1\.1 400 }, res
+ end
+ }
+ end
+
+ def test_big_chunks
+ nr_out = 3
+ buf = 'big' # 3 bytes is bigger than 2!
+ config = { :InputBufferSize => 2 }.freeze
+ total = 0
+ all = ''
+ TestWEBrick.start_httpserver(config){|server, addr, port, log|
+ server.mount_proc('/', ->(req, res) {
+ err = []
+ ret = req.body do |chunk|
+ n = chunk.bytesize
+ n > config[:InputBufferSize] and err << "#{n} > :InputBufferSize"
+ total += n
+ all << chunk
+ end
+ ret.nil? or err << 'req.body should return nil'
+ (buf * nr_out) == all or err << 'input body does not match expected'
+ res.header['connection'] = 'close'
+ res.body = err.join("\n")
+ })
+ TCPSocket.open(addr, port) do |c|
+ c.write("POST / HTTP/1.1\r\nHost: example.com\r\n" \
+ "Transfer-Encoding: chunked\r\n\r\n")
+ chunk = "#{buf.bytesize.to_s(16)}\r\n#{buf}\r\n"
+ nr_out.times { c.write(chunk) }
+ c.write("0\r\n\r\n")
+ head, body = c.read.split("\r\n\r\n")
+ assert_match %r{\AHTTP/1\.1 200 OK}, head
+ assert_nil body
+ end
+ }
+ end
end
rb_thread_wakeup_timer_thread(void)
{
/* must be safe inside sighandler, so no mutex */
- ATOMIC_INC(timer_thread_pipe.writing);
- rb_thread_wakeup_timer_thread_fd(&timer_thread_pipe.normal[1]);
- ATOMIC_DEC(timer_thread_pipe.writing);
+ if (timer_thread_pipe.owner_process == getpid()) {
+ ATOMIC_INC(timer_thread_pipe.writing);
+ rb_thread_wakeup_timer_thread_fd(&timer_thread_pipe.normal[1]);
+ ATOMIC_DEC(timer_thread_pipe.writing);
+ }
}
static void
rb_thread_wakeup_timer_thread_low(void)
{
- ATOMIC_INC(timer_thread_pipe.writing);
- rb_thread_wakeup_timer_thread_fd(&timer_thread_pipe.low[1]);
- ATOMIC_DEC(timer_thread_pipe.writing);
+ if (timer_thread_pipe.owner_process == getpid()) {
+ ATOMIC_INC(timer_thread_pipe.writing);
+ rb_thread_wakeup_timer_thread_fd(&timer_thread_pipe.low[1]);
+ ATOMIC_DEC(timer_thread_pipe.writing);
+ }
}
/* VM-dependent API is not available for this function */
projects / ruby2.3.git / commitdiff