From 29c02709cd68a122c5db4f58ec0e901fe3d507cc Mon Sep 17 00:00:00 2001
From: Dylan Thacker-Smith <Dylan.Smith@shopify.com>
Date: Fri, 24 Feb 2017 17:26:54 -0500
Subject: Add missing gzip footer check in ActiveSupport::Gzip.decompress

A gzip file has a checksum and length for the decompressed data in its
footer which isn't checked by just calling Zlib::GzipReader#read.
Calling Zlib::GzipReader#close must be called after reading to the end
of the file causes this check to be done, which is done by
Zlib::GzipReader.wrap after its block is called.
---
 activesupport/test/gzip_test.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'activesupport/test/gzip_test.rb')

diff --git a/activesupport/test/gzip_test.rb b/activesupport/test/gzip_test.rb
index f51d3cdf65..33e0cd2a04 100644
--- a/activesupport/test/gzip_test.rb
+++ b/activesupport/test/gzip_test.rb
@@ -30,4 +30,14 @@ class GzipTest < ActiveSupport::TestCase
 
     assert_equal true, (gzipped_by_best_compression.bytesize < gzipped_by_speed.bytesize)
   end
+
+  def test_decompress_checks_crc
+    compressed = ActiveSupport::Gzip.compress("Hello World")
+    first_crc_byte_index = compressed.bytesize - 8
+    compressed.setbyte(first_crc_byte_index, compressed.getbyte(first_crc_byte_index) ^ 0xff)
+
+    assert_raises(Zlib::GzipFile::CRCError) do
+      ActiveSupport::Gzip.decompress(compressed)
+    end
+  end
 end
-- 
cgit v1.2.3