Permalink
Commits on Apr 20, 2012
  1. Remove redundent certs

    evanphx committed Apr 20, 2012
Commits on Apr 19, 2012
  1. Bump to 1.3.7.1

    evanphx committed Apr 19, 2012
  2. Insecure connection to SSL repository

    Fixes 2 SSL usage problems of RemoteFetcher.
    - No verification
    - Follows HTTPS -> HTTP redirection
    
    For the first problem, RemoteFetcher must use OpenSSL::SSL::VERIFY_PEER
    instead of VERIFY_NONE.  And to enable SSL verification of
    RemoteFetcher, we need to make trusted CA configurable.  This commit
    adds :ssl_verify_mode and :ssl_ca_cert to Gem::ConfigFile (normally
    .gemrc).  Both configurations are treated as same options in open-uri.
    
    When :ssl_ca_cert is set, only the given path is treated as the trusted
    CA certificate(s).  If it's not set, OpenSSL's default store (sometimes
    configured as /etc/ssl/certs by system) *AND*
    lib/rubygems/ssl_certs/*.pem are trusted.  lib/rubygems/ssl_certs/*.pem
    are shipped to make sure all RubyGems clients can successfully access to
    https://rubygems.org/.
    
    At this moment, RubyGems.org uses 3 SSL servers (https://rubygems.org/,
    https://s3.amazon.com/, and https://d2chzxaqi4y7f8.cloudfront.net/) and
    each SSL certificate needs different root CA certificate.  So
    lib/rubygems/ssl_certs/ directory has 3 CA certificates in it.
    
    For the second problem, this patch let RemoteFetcher raises
    RemoteFetcher::FetchError if a server returns HTTPS -> HTTP redirection.
    Other type of redirection, HTTP -> HTTP, HTTPS -> HTTPS and HTTP ->
    HTTPS are allowed as before like open-uri.rb
    
    The second issue is rather harmless because RemoteFetcher does not send
    Cookie nor Referer to the server (Those resources for HTTPS site must
    not be sent to HTTP site.)  However, by following HTTPS -> HTTP
    redirection, an attacker can inject malicious gem contents into the
    user's environment who expected secure content download from HTTPS site
    by using HTTPS repository.
    
    Conflicts:
    
    	lib/rubygems/config_file.rb
    	lib/rubygems/remote_fetcher.rb
    	test/test_gem_config_file.rb
    nahi committed with evanphx Mar 13, 2012
Commits on May 14, 2010
  1. 1.3.7 release tag

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/tags/REL_1_3_7@2527 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed May 14, 2010
  2. Merge 2525

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2526 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed May 14, 2010
  3. Merge 2523

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2524 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed May 14, 2010
  4. Merge 2521

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2522 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed May 14, 2010
  5. Merge 2519

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2520 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed May 14, 2010
  6. Merge 2517

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2518 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed May 14, 2010
Commits on May 1, 2010
  1. Merge from trunk

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2516 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed May 1, 2010
Commits on Apr 22, 2010
  1. Merge from trunk

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2512 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 22, 2010
  2. Merge from trunk

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2510 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 22, 2010
  3. Merge version change

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2507 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 22, 2010
  4. Merge from trunk

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2505 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 22, 2010
  5. Merge some more

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2503 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 22, 2010
  6. Merge from trunk

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2502 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 22, 2010
Commits on Apr 20, 2010
  1. Merge 2484

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2485 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 20, 2010
  2. Missed merges

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2483 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 20, 2010
  3. Merge from trunk

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2481 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 20, 2010
  4. Merge 2278, 2280-2284

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2480 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Apr 20, 2010
Commits on Feb 21, 2010
  1. Merge Rakefile fixups

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2454 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 21, 2010
  2. Fix tag task

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2452 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 21, 2010
  3. Don't publish to rubyforge

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2451 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 21, 2010
  4. Fix rubyforge name

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2450 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 21, 2010
  5. 2448

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2449 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 21, 2010
  6. 2446

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2447 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 21, 2010
Commits on Feb 19, 2010
  1. Merge 2444

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2445 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 19, 2010
Commits on Feb 16, 2010
  1. 2441

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2442 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 16, 2010
Commits on Feb 12, 2010
  1. 2439

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2440 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 12, 2010
  2. 2437

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2438 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 12, 2010
  3. Merge 2414:2416

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2417 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 12, 2010
Commits on Feb 10, 2010
  1. 2410

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2411 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 10, 2010
  2. 2408

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2409 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 10, 2010
  3. 2406

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2407 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 10, 2010
  4. 2404

    git-svn-id: svn+ssh://rubyforge.org/var/svn/rubygems/branches/1_3@2405 3d4018f9-ac1a-0410-99e9-8a154d859a19
    drbrain committed Feb 10, 2010