Merge pull request #3030 from haus/jruby-1_7

Update rubygems to 2.4.8 to mitigate CVE-2015-4020
jruby · Jun 10, 2015 · dc15103 · dc15103
2 parents 311f12f + b1cf616
commit dc15103
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/lib/ruby/shared/rubygems.rb b/lib/ruby/shared/rubygems.rb
@@ -9,7 +9,7 @@
 require 'thread'
 
 module Gem
-  VERSION = '2.4.6'
+  VERSION = '2.4.8'
 end
 
 # Must be first since it unloads the prelude from 1.9.2

diff --git a/lib/ruby/shared/rubygems/remote_fetcher.rb b/lib/ruby/shared/rubygems/remote_fetcher.rb
@@ -94,7 +94,13 @@ def api_endpoint(uri)
     rescue Resolv::ResolvError
       uri
     else
-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
+      target = res.target.to_s.strip
+
+      if /\.#{Regexp.quote(host)}\z/ =~ target
+        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+      end
+
+      uri
     end
   end