Merge RubyGems 2.7.6 from upstream.

It fixed some security vulnerabilities. http://blog.rubygems.org/2018/02/15/2.7.6-released.html git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62422 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2018-02-16 08:08:06 +0000
committer: hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2018-02-16 08:08:06 +0000
commit: 7619cb3d7dcc9920a72ff5f2bc5546a5971fbab4 (patch)
tree: 1fe1f557eadc8ce3bd7b180434153e6420a7436b /lib/rubygems/package
parent: 7a453b157661561146ce84d821d6c5c18a5368df (diff)
download: ruby-7619cb3d7dcc9920a72ff5f2bc5546a5971fbab4.tar.gz
2 files changed, 16 insertions, 9 deletions
diff --git a/lib/rubygems/package/tar_header.rb b/lib/rubygems/package/tar_header.rb
index c54bd14d57..d557357114 100644
--- a/lib/rubygems/package/tar_header.rb
+++ b/lib/rubygems/package/tar_header.rb
@@ -104,25 +104,30 @@ class Gem::Package::TarHeader
     fields = header.unpack UNPACK_FORMAT
 
     new :name     => fields.shift,
-        :mode     => fields.shift.oct,
-        :uid      => fields.shift.oct,
-        :gid      => fields.shift.oct,
-        :size     => fields.shift.oct,
-        :mtime    => fields.shift.oct,
-        :checksum => fields.shift.oct,
+        :mode     => strict_oct(fields.shift),
+        :uid      => strict_oct(fields.shift),
+        :gid      => strict_oct(fields.shift),
+        :size     => strict_oct(fields.shift),
+        :mtime    => strict_oct(fields.shift),
+        :checksum => strict_oct(fields.shift),
         :typeflag => fields.shift,
         :linkname => fields.shift,
         :magic    => fields.shift,
-        :version  => fields.shift.oct,
+        :version  => strict_oct(fields.shift),
         :uname    => fields.shift,
         :gname    => fields.shift,
-        :devmajor => fields.shift.oct,
-        :devminor => fields.shift.oct,
+        :devmajor => strict_oct(fields.shift),
+        :devminor => strict_oct(fields.shift),
         :prefix   => fields.shift,
 
         :empty => empty
   end
 
+  def self.strict_oct(str)
+    return str.oct if str =~ /\A[0-7]*\z/
+    raise ArgumentError, "#{str.inspect} is not an octal string"
+  end
+
   ##
   # Creates a new TarHeader using +vals+
 
diff --git a/lib/rubygems/package/tar_writer.rb b/lib/rubygems/package/tar_writer.rb
index f68b8d4c5e..390f7851a3 100644
--- a/lib/rubygems/package/tar_writer.rb
+++ b/lib/rubygems/package/tar_writer.rb
@@ -196,6 +196,8 @@ class Gem::Package::TarWriter
       digest_name == signer.digest_name
     end
 
+    raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest
+
     if signer.key then
       signature = signer.sign signature_digest.digest
author	hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2018-02-16 08:08:06 +0000
committer	hsbt <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2018-02-16 08:08:06 +0000
commit	7619cb3d7dcc9920a72ff5f2bc5546a5971fbab4 (patch)
tree	1fe1f557eadc8ce3bd7b180434153e6420a7436b /lib/rubygems/package
parent	7a453b157661561146ce84d821d6c5c18a5368df (diff)
download	ruby-7619cb3d7dcc9920a72ff5f2bc5546a5971fbab4.tar.gz