ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 15:36:20 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into core-updates

Browse source
This commit is contained in:
Ricardo Wurmus 2018-02-18 00:37:46 +01:00
commit ff9d1a2f0c
No known key found for this signature in database
GPG key ID: 197A5888235FACAC
17 changed files with 812 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
etc/completion/bash/guix
View file

@ -106,6 +106,15 @@ _guix_is_dash_L ()
esac }
}
_guix_is_dash_m ()
{
[ "${COMP_WORDS[$COMP_CWORD - 1]}" = "-m" ] \
|| { case "${COMP_WORDS[$COMP_CWORD]}" in
--manifest=*) true;;
*) false;;
esac }
}
_guix_complete_file ()
{
# Let Readline complete file names.
@ -149,7 +158,7 @@ _guix_complete ()
*)
if _guix_is_command "package"
then
if _guix_is_dash_L
if _guix_is_dash_L || _guix_is_dash_m
then
_guix_complete_file
elif _guix_is_removing

1
gnu/local.mk
View file

@ -1063,6 +1063,7 @@ dist_patch_DATA = \
%D%/packages/patches/rpcbind-CVE-2017-8779.patch \
%D%/packages/patches/rsem-makefile.patch \
%D%/packages/patches/rtags-separate-rct.patch \
%D%/packages/patches/ruby-rubygems-276-for-ruby24.patch \
%D%/packages/patches/ruby-concurrent-ignore-broken-test.patch \
%D%/packages/patches/ruby-concurrent-test-arm.patch \
%D%/packages/patches/ruby-rack-ignore-failing-test.patch \

4
gnu/packages/bioinformatics.scm
View file

@ -6370,7 +6370,7 @@ (define-public r-sparql
(define-public vsearch
(package
(name "vsearch")
(version "2.7.0")
(version "2.7.1")
(source
(origin
(method url-fetch)
@ -6380,7 +6380,7 @@ (define-public vsearch
(file-name (string-append name "-" version ".tar.gz"))
(sha256
(base32
"0523b8xq5fw60ayl0k5m1fm6yrh1932ljrsz1ys67xnki7p7f1d5"))
"0jlzfgh79fzmb4g7sngzdjjsjyc37icvs1k7vmc2ksxglj6x5i7f"))
(patches (search-patches "vsearch-unbundle-cityhash.patch"))
(snippet
'(begin

72
gnu/packages/emacs.scm
View file

@ -7098,6 +7098,78 @@ (define-public emacs-scratch-el
formatting rules for that language.")
(license license:bsd-2))))
(define-public emacs-esxml
(package
(name "emacs-esxml")
(version "0.3.4")
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/tali713/esxml.git")
(commit version)))
(file-name (git-file-name name version))
(sha256
(base32
"00vv8a75wdklygdyr4km9mc2ismxak69c45jmcny41xl44rp9x8m"))))
(build-system emacs-build-system)
(home-page "https://github.com/tali713/esxml/")
(synopsis "SXML for EmacsLisp")
(description "This is XML/XHTML done with S-Expressions in EmacsLisp.
Simply, this is the easiest way to write HTML or XML in Lisp. This library
uses the native form of XML representation as used by many libraries already
included within Emacs. See @code{esxml-to-xml} for a concise description of
the format.")
(license license:gpl3+)))
(define-public emacs-nov-el
(package
(name "emacs-nov-el")
(version "0.2.2")
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/wasamasa/nov.el.git")
(commit version)))
(file-name (git-file-name name version))
(sha256
(base32
"03s0qjvwk1f7y3i4wh2p5y3z4hdv00adgz8za3vphzc0q8i1kjzb"))))
(build-system emacs-build-system)
(arguments
`(#:phases
(modify-phases %standard-phases
(add-after 'unpack 'embed-path-to-unzip
(lambda _
(substitute* "nov.el"
(("\\(executable-find \"unzip\"\\)")
(string-append "\"" (which "unzip") "\"")))
#t)))))
(propagated-inputs
`(("emacs-dash" ,emacs-dash)
("emacs-esxml" ,emacs-esxml)))
(inputs
`(("unzip" ,unzip)))
(home-page "https://github.com/wasamasa/nov.el/")
(synopsis "Major mode for reading EPUBs in Emacs")
(description "@code{nov.el} provides a major mode for reading EPUB
documents.
Features:
@itemize
@item Basic navigation (jump to TOC, previous/next chapter)
@item Remembering and restoring the last read position
@item Jump to next chapter when scrolling beyond end
@item Renders EPUB2 (@code{.ncx}) and EPUB3 (@code{<nav>}) TOCs
@item Hyperlinks to internal and external targets
@item Supports textual and image documents
@item View source of document files
@item Metadata display
@item Image rescaling
@end itemize
")
(license license:gpl3+)))
(define-public epipe
(package
(name "epipe")

9
gnu/packages/engineering.scm
View file

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2015, 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2015 Federico Beffa <beffa@fbengineering.ch>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 David Thompson <davet@gnu.org>
@ -178,6 +178,13 @@ (define-public geda-gaf
(add-before 'check 'set-home
(lambda _
(setenv "HOME" (getenv "TMPDIR"))
#t))
;; FIXME: These two tests fail for unknown reasons. They return "2"
;; when they should return "1".
(add-after 'unpack 'disable-failing-tests
(lambda _
(substitute* "utils/tests/gxyrs/tests.list"
(("^do_nothing.*") ""))
#t)))
#:configure-flags
(let ((pcb (assoc-ref %build-inputs "pcb")))

82
gnu/packages/games.scm
View file

@ -32,7 +32,7 @@
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2017, 2018 Rutger Helling <rhelling@mykolab.com>
;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
;;; Copyright © 2017 Nicolas Goaziou <mail@nicolasgoaziou.fr>
;;; Copyright © 2017, 2018 Nicolas Goaziou <mail@nicolasgoaziou.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@ -5598,3 +5598,83 @@ (define-public badass
Github or Gitlab.")
(home-page "https://github.com/umayr/badass")
(license license:expat))))
(define-public colobot
(package
(name "colobot")
(version "0.1.11-alpha")
(source
(origin
(method url-fetch)
(uri (string-append "https://github.com/colobot/colobot/archive/"
"colobot-gold-" version ".tar.gz"))
(sha256
(base32
"160rq9fp5vd0qaqr3jvzvzrcxk9cac532y8vx4cvq0a8hgylrbad"))))
(build-system cmake-build-system)
(arguments
`(#:tests? #f ;no test
#:phases
(modify-phases %standard-phases
(add-after 'unpack 'unpack-data
(lambda* (#:key inputs #:allow-other-keys)
(let ((data (assoc-ref inputs "colobot-data")))
(invoke "tar" "-xvf" data "-Cdata" "--strip-components=1")
#t)))
(add-after 'unpack-data 'install-music
(lambda* (#:key inputs #:allow-other-keys)
;; Installation process tries to download music files using
;; "wget" if not already present. Since we are going to install
;; them, skip "wget" command check.
(substitute* "data/music/CMakeLists.txt"
(("find_program\\(WGET wget\\)") ""))
;; Effectively install music.
(let ((data (assoc-ref inputs "colobot-music")))
(invoke "tar" "-xvf" data "-Cdata/music")
#t)))
(add-after 'install 'fix-install-directory
;; Move binary from "games/" to "bin/".
(lambda* (#:key outputs #:allow-other-keys)
(let ((out (assoc-ref outputs "out")))
(rename-file (string-append out "/games")
(string-append out "/bin"))
#t))))))
(native-inputs
`(("colobot-data"
,(origin
(method url-fetch)
(uri (string-append
"https://github.com/colobot/colobot-data/archive/"
"colobot-gold-" version ".tar.gz"))
(sha256
(base32
"1pdpsyr41g7xmk03k2g76l214f53ahk04qnkzmsv1fdbbaq7p109"))))
("colobot-music"
,(origin
(method url-fetch)
(uri (string-append "https://colobot.info/files/music/"
"colobot-music_ogg_" version ".tar.gz"))
(sha256
(base32
"1s86cd36rwkff329mb1ay1wi5qqyi35564ppgr3f4qqz9wj9vs2m"))))
("gettext" ,gettext-minimal)
("librsvg" ,librsvg)
("po4a" ,po4a)
("python" ,python-wrapper)))
(inputs
`(("boost" ,boost)
("glew" ,glew)
("libogg" ,libogg)
("libpng" ,libpng)
("libsndfile" ,libsndfile)
("libvorbis" ,libvorbis)
("openal" ,openal)
("physfs" ,physfs)
("sdl" ,(sdl-union (list sdl2 sdl2-image sdl2-ttf)))))
(synopsis "Educational programming strategy game")
(description "Colobot: Gold Edition is a real-time strategy game, where
you can program your units (bots) in a language called CBOT, which is similar
to C++ and Java. Your mission is to find a new planet to live and survive.
You can save humanity and get programming skills!")
(home-page "https://colobot.info")
(license license:gpl3+)))

8
gnu/packages/gtk.scm
View file

@ -1254,7 +1254,7 @@ (define-public girara
("check" ,check)
("gettext" ,gettext-minimal)
("glib:bin" ,glib "bin")
("xorg-server" ,xorg-server)))
("xorg-server" ,xorg-server-1.19.3)))
;; Listed in 'Requires.private' of 'girara.pc'.
(propagated-inputs `(("gtk+" ,gtk+)))
(arguments
@ -1262,6 +1262,7 @@ (define-public girara
`(,(string-append "PREFIX=" (assoc-ref %outputs "out"))
"COLOR=0" "CC=gcc")
#:test-target "test"
#:disallowed-references (,xorg-server-1.19.3)
#:phases (modify-phases %standard-phases
(delete 'configure)
(add-before 'check 'start-xserver
@ -1270,6 +1271,11 @@ (define-public girara
(let ((xorg-server (assoc-ref inputs "xorg-server"))
(display ":1"))
(setenv "DISPLAY" display)
;; On busy machines, tests may take longer than
;; the default of four seconds.
(setenv "CK_DEFAULT_TIMEOUT" "20")
;; Don't fail due to missing '/etc/machine-id'.
(setenv "DBUS_FATAL_WARNINGS" "0")
(zero? (system (string-append xorg-server "/bin/Xvfb "

6
gnu/packages/libffcall.scm
View file

@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Joshua S. Grant <jgrant@parenthetical.io>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@ -27,7 +27,7 @@ (define-module (gnu packages libffcall)
(define-public libffcall
(package
(name "libffcall")
(version "2.0")
(version "2.1")
(source
(origin
(method url-fetch)
@ -35,7 +35,7 @@ (define-public libffcall
"mirror://gnu/libffcall/libffcall-" version ".tar.gz"))
(sha256
(base32
"0v0rh3vawb8z5q40fs3kr2f9zp06n2fq4rr2ww4562nr96sd5aj1"))))
"0iwcad6w78jp84vd6xaz5fwqm84n3cb42bdf5m5cj5xzpa5zp4d0"))))
(build-system gnu-build-system)
(arguments `(#:parallel-build? #f))
(synopsis "Foreign function calls from interpreters")

10
gnu/packages/linux.scm
View file

@ -3153,10 +3153,12 @@ (define-public btrfs-progs
(lambda _ (zero? (system* "make" "static"))))
(add-after 'install 'install-bash-completion
(lambda* (#:key outputs #:allow-other-keys)
(install-file "btrfs-completion"
(string-append (assoc-ref outputs "out")
"/etc/bash_completion.d"))
#t))
(let* ((out (assoc-ref outputs "out"))
(bashcomp (string-append out "/etc/bash_completion.d")))
(mkdir-p bashcomp)
(copy-file "btrfs-completion"
(string-append bashcomp "/btrfs"))
#t)))
(add-after 'install 'install-static
(let ((staticbin (string-append (assoc-ref %outputs "static")
"/bin")))

4
gnu/packages/maths.scm
View file

@ -339,7 +339,7 @@ (define-public ocaml4.01-gsl
(define-public glpk
(package
(name "glpk")
(version "4.64")
(version "4.65")
(source
(origin
(method url-fetch)
@ -347,7 +347,7 @@ (define-public glpk
version ".tar.gz"))
(sha256
(base32
"096cqgjc7vkq6wd8znhcxjbs1s2rym3qf753fqxrrq531vs6g4jk"))))
"040sfaa9jclg2nqdh83w71sv9rc1sznpnfiripjdyr48cady50a2"))))
(build-system gnu-build-system)
(inputs
`(("gmp" ,gmp)))

605
gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch Normal file
View file

@ -0,0 +1,605 @@
diff --git lib/rubygems.rb lib/rubygems.rb
index 0685bcb3c6..a5a9202e56 100644
--- ruby-2.4.3/lib/rubygems.rb
+++ ruby-2.4.3/lib/rubygems.rb
@@ -10,7 +10,7 @@
require 'thread'
module Gem
- VERSION = "2.6.14"
+ VERSION = "2.6.14.1"
end
# Must be first since it unloads the prelude from 1.9.2
diff --git lib/rubygems/commands/owner_command.rb lib/rubygems/commands/owner_command.rb
index 4b99434e87..2ee7f84462 100644
--- ruby-2.4.3/lib/rubygems/commands/owner_command.rb
+++ ruby-2.4.3/lib/rubygems/commands/owner_command.rb
@@ -62,7 +62,7 @@ def show_owners name
end
with_response response do |resp|
- owners = YAML.load resp.body
+ owners = Gem::SafeYAML.load resp.body
say "Owners for gem: #{name}"
owners.each do |owner|
diff --git lib/rubygems/package.rb lib/rubygems/package.rb
index 77811ed5ec..b5a5fe2a26 100644
--- ruby-2.4.3/lib/rubygems/package.rb
+++ ruby-2.4.3/lib/rubygems/package.rb
@@ -378,7 +378,7 @@ def extract_tar_gz io, destination_dir, pattern = "*" # :nodoc:
File.dirname destination
end
- FileUtils.mkdir_p mkdir, mkdir_options
+ mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name
open destination, 'wb' do |out|
out.write entry.read
@@ -416,20 +416,35 @@ def install_location filename, destination_dir # :nodoc:
raise Gem::Package::PathError.new(filename, destination_dir) if
filename.start_with? '/'
- destination_dir = File.realpath destination_dir if
- File.respond_to? :realpath
+ destination_dir = realpath destination_dir
destination_dir = File.expand_path destination_dir
destination = File.join destination_dir, filename
destination = File.expand_path destination
raise Gem::Package::PathError.new(destination, destination_dir) unless
- destination.start_with? destination_dir
+ destination.start_with? destination_dir + '/'
destination.untaint
destination
end
+ def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name
+ destination_dir = realpath File.expand_path(destination_dir)
+ parts = mkdir.split(File::SEPARATOR)
+ parts.reduce do |path, basename|
+ path = realpath path unless path == ""
+ path = File.expand_path(path + File::SEPARATOR + basename)
+ lstat = File.lstat path rescue nil
+ if !lstat || !lstat.directory?
+ unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false)
+ raise Gem::Package::PathError.new(file_name, destination_dir)
+ end
+ end
+ path
+ end
+ end
+
##
# Loads a Gem::Specification from the TarEntry +entry+
@@ -603,6 +618,10 @@ def verify_files gem
raise Gem::Package::FormatError.new \
'package content (data.tar.gz) is missing', @gem
end
+
+ if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
+ raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
+ end
end
##
@@ -616,6 +635,16 @@ def verify_gz entry # :nodoc:
raise Gem::Package::FormatError.new(e.message, entry.full_name)
end
+ if File.respond_to? :realpath
+ def realpath file
+ File.realpath file
+ end
+ else
+ def realpath file
+ file
+ end
+ end
+
end
require 'rubygems/package/digest_io'
diff --git lib/rubygems/package/tar_header.rb lib/rubygems/package/tar_header.rb
index c54bd14d57..d557357114 100644
--- ruby-2.4.3/lib/rubygems/package/tar_header.rb
+++ ruby-2.4.3/lib/rubygems/package/tar_header.rb
@@ -104,25 +104,30 @@ def self.from(stream)
fields = header.unpack UNPACK_FORMAT
new :name => fields.shift,
- :mode => fields.shift.oct,
- :uid => fields.shift.oct,
- :gid => fields.shift.oct,
- :size => fields.shift.oct,
- :mtime => fields.shift.oct,
- :checksum => fields.shift.oct,
+ :mode => strict_oct(fields.shift),
+ :uid => strict_oct(fields.shift),
+ :gid => strict_oct(fields.shift),
+ :size => strict_oct(fields.shift),
+ :mtime => strict_oct(fields.shift),
+ :checksum => strict_oct(fields.shift),
:typeflag => fields.shift,
:linkname => fields.shift,
:magic => fields.shift,
- :version => fields.shift.oct,
+ :version => strict_oct(fields.shift),
:uname => fields.shift,
:gname => fields.shift,
- :devmajor => fields.shift.oct,
- :devminor => fields.shift.oct,
+ :devmajor => strict_oct(fields.shift),
+ :devminor => strict_oct(fields.shift),
:prefix => fields.shift,
:empty => empty
end
+ def self.strict_oct(str)
+ return str.oct if str =~ /\A[0-7]*\z/
+ raise ArgumentError, "#{str.inspect} is not an octal string"
+ end
+
##
# Creates a new TarHeader using +vals+
diff --git lib/rubygems/package/tar_writer.rb lib/rubygems/package/tar_writer.rb
index f68b8d4c5e..390f7851a3 100644
--- ruby-2.4.3/lib/rubygems/package/tar_writer.rb
+++ ruby-2.4.3/lib/rubygems/package/tar_writer.rb
@@ -196,6 +196,8 @@ def add_file_signed name, mode, signer
digest_name == signer.digest_name
end
+ raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest
+
if signer.key then
signature = signer.sign signature_digest.digest
diff --git lib/rubygems/server.rb lib/rubygems/server.rb
index df4eb566d3..a7b5243ba0 100644
--- ruby-2.4.3/lib/rubygems/server.rb
+++ ruby-2.4.3/lib/rubygems/server.rb
@@ -631,6 +631,18 @@ def root(req, res)
executables = nil if executables.empty?
executables.last["is_last"] = true if executables
+ # Pre-process spec homepage for safety reasons
+ begin
+ homepage_uri = URI.parse(spec.homepage)
+ if [URI::HTTP, URI::HTTPS].member? homepage_uri.class
+ homepage_uri = spec.homepage
+ else
+ homepage_uri = "."
+ end
+ rescue URI::InvalidURIError
+ homepage_uri = "."
+ end
+
specs << {
"authors" => spec.authors.sort.join(", "),
"date" => spec.date.to_s,
@@ -640,7 +652,7 @@ def root(req, res)
"only_one_executable" => (executables && executables.size == 1),
"full_name" => spec.full_name,
"has_deps" => !deps.empty?,
- "homepage" => spec.homepage,
+ "homepage" => homepage_uri,
"name" => spec.name,
"rdoc_installed" => Gem::RDoc.new(spec).rdoc_installed?,
"ri_installed" => Gem::RDoc.new(spec).ri_installed?,
diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb
index 40e3a70d47..0a154b9001 100644
--- ruby-2.4.3/lib/rubygems/specification.rb
+++ ruby-2.4.3/lib/rubygems/specification.rb
@@ -15,6 +15,7 @@
require 'rubygems/stub_specification'
require 'rubygems/util/list'
require 'stringio'
+require 'uri'
##
# The Specification class contains the information for a Gem. Typically
@@ -2813,10 +2814,16 @@ def validate packaging = true
raise Gem::InvalidSpecificationException, "#{lazy} is not a summary"
end
- if homepage and not homepage.empty? and
- homepage !~ /\A[a-z][a-z\d+.-]*:/i then
- raise Gem::InvalidSpecificationException,
- "\"#{homepage}\" is not a URI"
+ # Make sure a homepage is valid HTTP/HTTPS URI
+ if homepage and not homepage.empty?
+ begin
+ homepage_uri = URI.parse(homepage)
+ unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
+ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
+ end
+ rescue URI::InvalidURIError
+ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
+ end
end
# Warnings
diff --git test/rubygems/test_gem_commands_owner_command.rb test/rubygems/test_gem_commands_owner_command.rb
index 44652c1093..53cac4ce87 100644
--- ruby-2.4.3/test/rubygems/test_gem_commands_owner_command.rb
+++ ruby-2.4.3/test/rubygems/test_gem_commands_owner_command.rb
@@ -43,6 +43,31 @@ def test_show_owners
assert_match %r{- 4}, @ui.output
end
+ def test_show_owners_dont_load_objects
+ skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
+
+ response = <<EOF
+---
+- email: !ruby/object:Object {}
+ id: 1
+ handle: user1
+- email: user2@example.com
+- id: 3
+ handle: user3
+- id: 4
+EOF
+
+ @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
+
+ assert_raises Psych::DisallowedClass do
+ use_ui @ui do
+ @cmd.show_owners("freewill")
+ end
+ end
+
+ end
+
+
def test_show_owners_setting_up_host_through_env_var
response = "- email: user1@example.com\n"
host = "http://rubygems.example"
diff --git test/rubygems/test_gem_package.rb test/rubygems/test_gem_package.rb
index 9d47f0dea4..5b93475314 100644
--- ruby-2.4.3/test/rubygems/test_gem_package.rb
+++ ruby-2.4.3/test/rubygems/test_gem_package.rb
@@ -455,6 +455,31 @@ def test_extract_tar_gz_symlink_relative_path
File.read(extracted)
end
+ def test_extract_symlink_parent
+ skip 'symlink not supported' if Gem.win_platform?
+
+ package = Gem::Package.new @gem
+
+ tgz_io = util_tar_gz do |tar|
+ tar.mkdir 'lib', 0755
+ tar.add_symlink 'lib/link', '../..', 0644
+ tar.add_file 'lib/link/outside.txt', 0644 do |io| io.write 'hi' end
+ end
+
+ # Extract into a subdirectory of @destination; if this test fails it writes
+ # a file outside destination_subdir, but we want the file to remain inside
+ # @destination so it will be cleaned up.
+ destination_subdir = File.join @destination, 'subdir'
+ FileUtils.mkdir_p destination_subdir
+
+ e = assert_raises Gem::Package::PathError do
+ package.extract_tar_gz tgz_io, destination_subdir
+ end
+
+ assert_equal("installing into parent path lib/link/outside.txt of " +
+ "#{destination_subdir} is not allowed", e.message)
+ end
+
def test_extract_tar_gz_directory
package = Gem::Package.new @gem
@@ -566,6 +591,21 @@ def test_install_location_relative
"#{@destination} is not allowed", e.message)
end
+ def test_install_location_suffix
+ package = Gem::Package.new @gem
+
+ filename = "../#{File.basename(@destination)}suffix.rb"
+
+ e = assert_raises Gem::Package::PathError do
+ package.install_location filename, @destination
+ end
+
+ parent = File.expand_path File.join @destination, filename
+
+ assert_equal("installing into parent path #{parent} of " +
+ "#{@destination} is not allowed", e.message)
+ end
+
def test_load_spec
entry = StringIO.new Gem.gzip @spec.to_yaml
def entry.full_name() 'metadata.gz' end
@@ -723,6 +763,32 @@ def test_verify_nonexistent
assert_match %r%nonexistent.gem$%, e.message
end
+ def test_verify_duplicate_file
+ FileUtils.mkdir_p 'lib'
+ FileUtils.touch 'lib/code.rb'
+
+ build = Gem::Package.new @gem
+ build.spec = @spec
+ build.setup_signer
+ open @gem, 'wb' do |gem_io|
+ Gem::Package::TarWriter.new gem_io do |gem|
+ build.add_metadata gem
+ build.add_contents gem
+
+ gem.add_file_simple 'a.sig', 0444, 0
+ gem.add_file_simple 'a.sig', 0444, 0
+ end
+ end
+
+ package = Gem::Package.new @gem
+
+ e = assert_raises Gem::Security::Exception do
+ package.verify
+ end
+
+ assert_equal 'duplicate files in the package: ("a.sig")', e.message
+ end
+
def test_verify_security_policy
skip 'openssl is missing' unless defined?(OpenSSL::SSL)
@@ -780,7 +846,13 @@ def test_verify_security_policy_checksum_missing
# write bogus data.tar.gz to foil signature
bogus_data = Gem.gzip 'hello'
- gem.add_file_simple 'data.tar.gz', 0444, bogus_data.length do |io|
+ fake_signer = Class.new do
+ def digest_name; 'SHA512'; end
+ def digest_algorithm; Digest(:SHA512); end
+ def key; 'key'; end
+ def sign(*); 'fake_sig'; end
+ end
+ gem.add_file_signed 'data2.tar.gz', 0444, fake_signer.new do |io|
io.write bogus_data
end
diff --git test/rubygems/test_gem_package_tar_header.rb test/rubygems/test_gem_package_tar_header.rb
index d33877057d..43f508df45 100644
--- ruby-2.4.3/test/rubygems/test_gem_package_tar_header.rb
+++ ruby-2.4.3/test/rubygems/test_gem_package_tar_header.rb
@@ -143,5 +143,26 @@ def test_update_checksum
assert_equal '012467', @tar_header.checksum
end
+ def test_from_bad_octal
+ test_cases = [
+ "00000006,44\000", # bogus character
+ "00000006789\000", # non-octal digit
+ "+0000001234\000", # positive sign
+ "-0000001000\000", # negative sign
+ "0x000123abc\000", # radix prefix
+ ]
+
+ test_cases.each do |val|
+ header_s = @tar_header.to_s
+ # overwrite the size field
+ header_s[124, 12] = val
+ io = TempIO.new header_s
+ assert_raises ArgumentError do
+ new_header = Gem::Package::TarHeader.from io
+ end
+ io.close! if io.respond_to? :close!
+ end
+ end
+
end
diff --git test/rubygems/test_gem_server.rb test/rubygems/test_gem_server.rb
index 4873fac5b6..96ed9194e9 100644
--- ruby-2.4.3/test/rubygems/test_gem_server.rb
+++ ruby-2.4.3/test/rubygems/test_gem_server.rb
@@ -336,6 +336,171 @@ def test_root_gemdirs
assert_match 'z 9', @res.body
end
+
+ def test_xss_homepage_fix_289313
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+ dir = "#{@gemhome}2"
+
+ spec = util_spec 'xsshomepagegem', 1
+ spec.homepage = "javascript:confirm(document.domain)"
+
+ specs_dir = File.join dir, 'specifications'
+ FileUtils.mkdir_p specs_dir
+
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
+ io.write spec.to_ruby
+ end
+
+ server = Gem::Server.new dir, process_based_port, false
+
+ @req.parse data
+
+ server.root @req, @res
+
+ assert_equal 200, @res.status
+ assert_match 'xsshomepagegem 1', @res.body
+
+ # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a
+ # valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here,
+ # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be
+ # validated in future versions of Gem::Specification.
+ #
+ # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
+ #
+ # Variant #1 - rdoc not installed
+ #
+ # <b>xsshomepagegem 1</b>
+ #
+ #
+ # <span title="rdoc not installed">[rdoc]</span>
+ #
+ #
+ #
+ # <a href="." title=".">[www]</a>
+ #
+ # Variant #2 - rdoc installed
+ #
+ # <b>xsshomepagegem 1</b>
+ #
+ #
+ # <a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>
+ #
+ #
+ #
+ # <a href="." title=".">[www]</a>
+ regex_match = /xsshomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
+ assert_match regex_match, @res.body
+ end
+
+ def test_invalid_homepage
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+ dir = "#{@gemhome}2"
+
+ spec = util_spec 'invalidhomepagegem', 1
+ spec.homepage = "notavalidhomepageurl"
+
+ specs_dir = File.join dir, 'specifications'
+ FileUtils.mkdir_p specs_dir
+
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
+ io.write spec.to_ruby
+ end
+
+ server = Gem::Server.new dir, process_based_port, false
+
+ @req.parse data
+
+ server.root @req, @res
+
+ assert_equal 200, @res.status
+ assert_match 'invalidhomepagegem 1', @res.body
+
+ # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a
+ # valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here,
+ # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be
+ # validated in future versions of Gem::Specification.
+ #
+ # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
+ #
+ # Variant #1 - rdoc not installed
+ #
+ # <b>invalidhomepagegem 1</b>
+ #
+ #
+ # <span title="rdoc not installed">[rdoc]</span>
+ #
+ #
+ #
+ # <a href="." title=".">[www]</a>
+ #
+ # Variant #2 - rdoc installed
+ #
+ # <b>invalidhomepagegem 1</b>
+ #
+ #
+ # <a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>
+ #
+ #
+ #
+ # <a href="." title=".">[www]</a>
+ regex_match = /invalidhomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
+ assert_match regex_match, @res.body
+ end
+
+ def test_valid_homepage_http
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+ dir = "#{@gemhome}2"
+
+ spec = util_spec 'validhomepagegemhttp', 1
+ spec.homepage = "http://rubygems.org"
+
+ specs_dir = File.join dir, 'specifications'
+ FileUtils.mkdir_p specs_dir
+
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
+ io.write spec.to_ruby
+ end
+
+ server = Gem::Server.new dir, process_based_port, false
+
+ @req.parse data
+
+ server.root @req, @res
+
+ assert_equal 200, @res.status
+ assert_match 'validhomepagegemhttp 1', @res.body
+
+ regex_match = /validhomepagegemhttp 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttp-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="http:\/\/rubygems\.org" title="http:\/\/rubygems\.org">\[www\]<\/a>/
+ assert_match regex_match, @res.body
+ end
+
+ def test_valid_homepage_https
+ data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+ dir = "#{@gemhome}2"
+
+ spec = util_spec 'validhomepagegemhttps', 1
+ spec.homepage = "https://rubygems.org"
+
+ specs_dir = File.join dir, 'specifications'
+ FileUtils.mkdir_p specs_dir
+
+ open File.join(specs_dir, spec.spec_name), 'w' do |io|
+ io.write spec.to_ruby
+ end
+
+ server = Gem::Server.new dir, process_based_port, false
+
+ @req.parse data
+
+ server.root @req, @res
+
+ assert_equal 200, @res.status
+ assert_match 'validhomepagegemhttps 1', @res.body
+
+ regex_match = /validhomepagegemhttps 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttps-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="https:\/\/rubygems\.org" title="https:\/\/rubygems\.org">\[www\]<\/a>/
+ assert_match regex_match, @res.body
+ end
+
def test_specs
data = StringIO.new "GET /specs.#{Gem.marshal_version} HTTP/1.0\r\n\r\n"
@req.parse data
diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb
index 0fcc11e78f..1c68826fb3 100644
--- ruby-2.4.3/test/rubygems/test_gem_specification.rb
+++ ruby-2.4.3/test/rubygems/test_gem_specification.rb
@@ -2890,7 +2890,22 @@ def test_validate_homepage
@a1.validate
end
- assert_equal '"over at my cool site" is not a URI', e.message
+ assert_equal '"over at my cool site" is not a valid HTTP URI', e.message
+
+ @a1.homepage = 'ftp://rubygems.org'
+
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+
+ assert_equal '"ftp://rubygems.org" is not a valid HTTP URI', e.message
+
+ @a1.homepage = 'http://rubygems.org'
+ assert_equal true, @a1.validate
+
+ @a1.homepage = 'https://rubygems.org'
+ assert_equal true, @a1.validate
+
end
end

13
gnu/packages/pdf.scm
View file

@ -323,7 +323,6 @@ (define-public zathura-cb
(base32
"0r4viisycj39kaz4281cmkr7n9w5q96dmlf7nf45n8zq8qy2npw3"))))
(native-inputs `(("pkg-config" ,pkg-config)))
(propagated-inputs `(("girara" ,girara)))
(inputs `(("libarchive" ,libarchive)
("zathura" ,zathura)))
(build-system gnu-build-system)
@ -353,7 +352,6 @@ (define-public zathura-ps
(base32
"1x4knqja8pw2a5cb3y2209nr3iddj1z8nwasy48v5nprj61fdxqj"))))
(native-inputs `(("pkg-config" ,pkg-config)))
(propagated-inputs `(("girara" ,girara)))
(inputs `(("libspectre" ,libspectre)
("zathura" ,zathura)))
(build-system gnu-build-system)
@ -383,7 +381,6 @@ (define-public zathura-djvu
(base32
"1sbfdsyp50qc85xc4458sn4w1rv1qbygdwmcr5kjlfpsmdq98vhd"))))
(native-inputs `(("pkg-config" ,pkg-config)))
(propagated-inputs `(("girara" ,girara)))
(inputs
`(("djvulibre" ,djvulibre)
("zathura" ,zathura)))
@ -414,7 +411,6 @@ (define-public zathura-pdf-mupdf
(base32
"0xkajc3is7ncmb2fmymbzfgrran2bz12i7zsm1vvxhxds728h7ck"))))
(native-inputs `(("pkg-config" ,pkg-config)))
(propagated-inputs `(("girara" ,girara)))
(inputs
`(("jbig2dec" ,jbig2dec)
("libjpeg" ,libjpeg)
@ -448,7 +444,6 @@ (define-public zathura-pdf-poppler
(base32
"1m55m7s7f8ng8a7lmcw9z4n5zv7xk4vp9n6fp9j84z6rk2imf7a2"))))
(native-inputs `(("pkg-config" ,pkg-config)))
(propagated-inputs `(("girara" ,girara)))
(inputs
`(("poppler" ,poppler)
("zathura" ,zathura)))
@ -486,7 +481,7 @@ (define-public zathura
;; For tests.
("check" ,check)
("xorg-server" ,xorg-server)))
("xorg-server" ,xorg-server-1.19.3)))
(inputs `(("sqlite" ,sqlite)))
;; Listed in 'Requires.private' of 'zathura.pc'.
(propagated-inputs `(("cairo" ,cairo)
@ -501,6 +496,7 @@ (define-public zathura
`(,(string-append "PREFIX=" (assoc-ref %outputs "out"))
"CC=gcc" "COLOR=0")
#:test-target "test"
#:disallowed-references (,xorg-server-1.19.3)
#:phases (modify-phases %standard-phases
(delete 'configure)
(add-before 'check 'start-xserver
@ -509,6 +505,11 @@ (define-public zathura
(let ((xorg-server (assoc-ref inputs "xorg-server"))
(display ":1"))
(setenv "DISPLAY" display)
;; On busy machines, tests may take longer than
;; the default of four seconds.
(setenv "CK_DEFAULT_TIMEOUT" "20")
;; Don't fail due to missing '/etc/machine-id'.
(setenv "DBUS_FATAL_WARNINGS" "0")
(zero? (system (string-append xorg-server "/bin/Xvfb "

1
gnu/packages/ruby.scm
View file

@ -62,6 +62,7 @@ (define-public ruby
(sha256
(base32
"0l9bv67dgsphk42lmiskhrnh47hbyj6rfg2rcjx22xivpx07srr3"))
(patches (search-patches "ruby-rubygems-276-for-ruby24.patch"))
(modules '((guix build utils)))
(snippet `(begin
;; Remove bundled libffi

2
gnu/packages/scheme.scm
View file

@ -207,7 +207,7 @@ (define-public bigloo
version ".tar.gz"))
(sha256
(base32
"1xpzxjlq5g8j3jrb908kfaaa0pkynk4rd083hzvb08amhy68sx07"))
"1x7xdgsls277zlf6gcaxs2cj62xj6yvb0qxh0ddmxfamvxba0cf4"))
;; Remove bundled libraries.
(modules '((guix build utils)))
(snippet

6
gnu/packages/version-control.scm
View file

@ -138,14 +138,14 @@ (define-public git
(name "git")
;; XXX When updating Git, check if the special 'git:src' input to cgit needs
;; to be updated as well.
(version "2.16.1")
(version "2.16.2")
(source (origin
(method url-fetch)
(uri (string-append "mirror://kernel.org/software/scm/git/git-"
version ".tar.xz"))
(sha256
(base32
"06gay8k29glg4giwphjalcc1fknxw4bmxkmbr3ic3gzxy8vl7bfg"))))
"05y7480f2p7fkncbhf08zz56jbykcp0ia5gl6y3djs0lsa5mfq2m"))))
(build-system gnu-build-system)
(native-inputs
`(("native-perl" ,perl)
@ -158,7 +158,7 @@ (define-public git
version ".tar.xz"))
(sha256
(base32
"1ympib7kd818v4wjgfrhxjrmv91n50lgxxg0i9gcqihgy3divrlp"))))))
"01fbmfsqcv7jmyh80yg3fv5jwv78zvxys9b0fd6bdcy89h9ybvj2"))))))
(inputs
`(("curl" ,curl)
("expat" ,expat)

4
gnu/packages/xorg.scm
View file

@ -3401,7 +3401,7 @@ (define-public xf86-video-trident
(define-public xf86-video-vesa
(package
(name "xf86-video-vesa")
(version "2.3.4")
(version "2.4.0")
(source
(origin
(method url-fetch)
@ -3411,7 +3411,7 @@ (define-public xf86-video-vesa
".tar.bz2"))
(sha256
(base32
"1haiw8r1z8ihk68d0jqph2wsld13w4qkl86biq46fvyxg7cg9pbv"))))
"1373vsxn6qh00na0s9c09kf09gj78rzi98zq93id8v5zsya3qi5z"))))
(build-system gnu-build-system)
(inputs `(("xorg-server" ,xorg-server)))
(native-inputs `(("pkg-config" ,pkg-config)))

1
gnu/services/xorg.scm
View file

@ -318,6 +318,7 @@ (define builder
(use-modules (ice-9 match)
(ice-9 regex)
(ice-9 ftw)
(ice-9 rdelim)
(srfi srfi-1)
(srfi srfi-26))