Hello community, here is the log from the commit of package rubygem-rubyzip for openSUSE:Factory checked in at 2019-07-08 15:12:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-rubyzip (Old) and /work/SRC/openSUSE:Factory/.rubygem-rubyzip.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rubyzip" Mon Jul 8 15:12:37 2019 rev:15 rq:713997 version:1.2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-rubyzip/rubygem-rubyzip.changes 2019-03-01 16:46:25.709821761 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-rubyzip.new.4615/rubygem-rubyzip.changes 2019-07-08 16:41:15.268979456 +0200 @@ -1,0 +2,17 @@ +Mon Jul 8 07:53:40 UTC 2019 - Manuel Schnitzer <mschnit...@suse.com> + +- updated to version 1.2.3 + + * Allow tilde in zip entry names [#391](https://github.com/rubyzip/rubyzip/pull/391) (fixes regression in 1.2.2 from [#376](https://github.com/rubyzip/rubyzip/pull/376)) + * Support frozen string literals in more files [#390](https://github.com/rubyzip/rubyzip/pull/390) + * Require `pathname` explicitly [#388](https://github.com/rubyzip/rubyzip/pull/388) (fixes regression in 1.2.2 from [#376](https://github.com/rubyzip/rubyzip/pull/376)) + + Tooling / Documentation: + + * CI updates [#392](https://github.com/rubyzip/rubyzip/pull/392), [#394](https://github.com/rubyzip/rubyzip/pull/394) + - Bump supported ruby versions and add 2.6 + - JRuby failures are no longer ignored (reverts [#375](https://github.com/rubyzip/rubyzip/pull/375) / part of [#371](https://github.com/rubyzip/rubyzip/pull/371)) + * Add changelog entry that was missing for last release [#387](https://github.com/rubyzip/rubyzip/pull/387) + * Comment cleanup [#385](https://github.com/rubyzip/rubyzip/pull/385) + +------------------------------------------------------------------- Old: ---- rubyzip-1.2.2.gem New: ---- rubyzip-1.2.3.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rubyzip.spec ++++++ --- /var/tmp/diff_new_pack.SipHRu/_old 2019-07-08 16:41:15.840980267 +0200 +++ /var/tmp/diff_new_pack.SipHRu/_new 2019-07-08 16:41:15.844980273 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-rubyzip -Version: 1.2.2 +Version: 1.2.3 Release: 0 %define mod_name rubyzip %define mod_full_name %{mod_name}-%{version} ++++++ rubyzip-1.2.2.gem -> rubyzip-1.2.3.gem ++++++ Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/zip/entry.rb new/lib/zip/entry.rb --- old/lib/zip/entry.rb 2018-08-31 18:20:18.000000000 +0200 +++ new/lib/zip/entry.rb 2019-05-23 19:58:25.000000000 +0200 @@ -1,3 +1,4 @@ +require 'pathname' module Zip class Entry STORED = 0 @@ -117,7 +118,7 @@ return false unless cleanpath.relative? root = ::File::SEPARATOR naive_expanded_path = ::File.join(root, cleanpath.to_s) - cleanpath.expand_path(root).to_s == naive_expanded_path + ::File.absolute_path(cleanpath.to_s, root) == naive_expanded_path end def local_entry_offset #:nodoc:all @@ -275,10 +276,10 @@ zip64 = @extra['Zip64'] [::Zip::LOCAL_ENTRY_SIGNATURE, @version_needed_to_extract, # version needed to extract - @gp_flags, # @gp_flags , + @gp_flags, # @gp_flags @compression_method, - @time.to_binary_dos_time, # @last_mod_time , - @time.to_binary_dos_date, # @last_mod_date , + @time.to_binary_dos_time, # @last_mod_time + @time.to_binary_dos_date, # @last_mod_date @crc, zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size, zip64 && zip64.original_size ? 0xFFFFFFFF : @size, @@ -432,11 +433,11 @@ @header_signature, @version, # version of encoding software @fstype, # filesystem type - @version_needed_to_extract, # @versionNeededToExtract , - @gp_flags, # @gp_flags , + @version_needed_to_extract, # @versionNeededToExtract + @gp_flags, # @gp_flags @compression_method, - @time.to_binary_dos_time, # @last_mod_time , - @time.to_binary_dos_date, # @last_mod_date , + @time.to_binary_dos_time, # @last_mod_time + @time.to_binary_dos_date, # @last_mod_date @crc, zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size, zip64 && zip64.original_size ? 0xFFFFFFFF : @size, @@ -602,7 +603,7 @@ get_input_stream do |is| set_extra_attributes_on_path(dest_path) - buf = '' + buf = ''.dup while (buf = is.sysread(::Zip::Decompressor::CHUNK_SIZE, buf)) os << buf end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/zip/extra_field.rb new/lib/zip/extra_field.rb --- old/lib/zip/extra_field.rb 2018-08-31 18:20:18.000000000 +0200 +++ new/lib/zip/extra_field.rb 2019-05-23 19:58:25.000000000 +0200 @@ -26,7 +26,7 @@ end def create_unknown_item - s = '' + s = ''.dup class << s alias_method :to_c_dir_bin, :to_s alias_method :to_local_bin, :to_s diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/zip/inflater.rb new/lib/zip/inflater.rb --- old/lib/zip/inflater.rb 2018-08-31 18:20:18.000000000 +0200 +++ new/lib/zip/inflater.rb 2019-05-23 19:58:25.000000000 +0200 @@ -3,7 +3,7 @@ def initialize(input_stream, decrypter = NullDecrypter.new) super(input_stream) @zlib_inflater = ::Zlib::Inflate.new(-Zlib::MAX_WBITS) - @output_buffer = '' + @output_buffer = ''.dup @has_returned_empty_string = false @decrypter = decrypter end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/zip/version.rb new/lib/zip/version.rb --- old/lib/zip/version.rb 2018-08-31 18:20:18.000000000 +0200 +++ new/lib/zip/version.rb 2019-05-23 19:58:25.000000000 +0200 @@ -1,3 +1,3 @@ module Zip - VERSION = '1.2.2' + VERSION = '1.2.3' end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2018-08-31 18:20:18.000000000 +0200 +++ new/metadata 2019-05-23 19:58:25.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: rubyzip version: !ruby/object:Gem::Version - version: 1.2.2 + version: 1.2.3 platform: ruby authors: - Alexander Simonov autorequire: bindir: bin cert_chain: [] -date: 2018-08-31 00:00:00.000000000 Z +date: 2019-05-23 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: rake @@ -164,6 +164,7 @@ - test/data/path_traversal/jwilk/relative2.zip - test/data/path_traversal/jwilk/symlink.zip - test/data/path_traversal/relative1.zip +- test/data/path_traversal/tilde.zip - test/data/path_traversal/tuzovakaoff/README.md - test/data/path_traversal/tuzovakaoff/absolutepath.zip - test/data/path_traversal/tuzovakaoff/symlink.zip @@ -226,8 +227,7 @@ - !ruby/object:Gem::Version version: '0' requirements: [] -rubyforge_project: -rubygems_version: 2.6.13 +rubygems_version: 3.0.1 signing_key: specification_version: 4 summary: rubyzip is a ruby module for reading and writing zip files @@ -280,6 +280,7 @@ - test/data/rubycode2.zip - test/data/mimetype - test/data/zipWithEncryption.zip +- test/data/path_traversal/tilde.zip - test/data/path_traversal/Makefile - test/data/path_traversal/relative1.zip - test/data/path_traversal/jwilk/dirsymlink.zip Binary files old/test/data/path_traversal/tilde.zip and new/test/data/path_traversal/tilde.zip differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/test/path_traversal_test.rb new/test/path_traversal_test.rb --- old/test/path_traversal_test.rb 2018-08-31 18:20:18.000000000 +0200 +++ new/test/path_traversal_test.rb 2019-05-23 19:58:25.000000000 +0200 @@ -131,4 +131,11 @@ refute File.exist?('/tmp/file.txt') end end + + def test_entry_name_with_tilde + in_tmpdir do + extract_path_traversal_zip 'tilde.zip' + assert File.exist?('~tilde~') + end + end end