Add missing gzip footer check in ActiveSupport::Gzip.decompress

A gzip file has a checksum and length for the decompressed data in its
footer which isn't checked by just calling Zlib::GzipReader#read.
Calling Zlib::GzipReader#close must be called after reading to the end
of the file causes this check to be done, which is done by
Zlib::GzipReader.wrap after its block is called.

actionpack/test/dispatch/static_test.rb

@@ -224,7 +224,7 @@ module StaticTests
 
     def assert_gzip(file_name, response)
       expected = File.read("#{FIXTURE_LOAD_PATH}/#{public_path}" + file_name)
-      actual   = Zlib::GzipReader.new(StringIO.new(response.body)).read
+      actual   = ActiveSupport::Gzip.decompress(response.body)
       assert_equal expected, actual
     end
 

activesupport/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Rails 5.1.0.beta1 (February 23, 2017) ##
 
+*   `ActiveSupport::Gzip.decompress` now checks checksum and length in footer.
+
+    *Dylan Thacker-Smith*
+
 *   Cache `ActiveSupport::TimeWithZone#to_datetime` before freezing.
 
     *Adam Rice*

activesupport/lib/active_support/gzip.rb

@@ -21,7 +21,7 @@ module ActiveSupport
 
     # Decompresses a gzipped string.
     def self.decompress(source)
-      Zlib::GzipReader.new(StringIO.new(source)).read
+      Zlib::GzipReader.wrap(StringIO.new(source), &:read)
     end
 
     # Compresses a string using gzip.

activesupport/test/gzip_test.rb

@@ -30,4 +30,14 @@ class GzipTest < ActiveSupport::TestCase
 
     assert_equal true, (gzipped_by_best_compression.bytesize < gzipped_by_speed.bytesize)
   end
+
+  def test_decompress_checks_crc
+    compressed = ActiveSupport::Gzip.compress("Hello World")
+    first_crc_byte_index = compressed.bytesize - 8
+    compressed.setbyte(first_crc_byte_index, compressed.getbyte(first_crc_byte_index) ^ 0xff)
+
+    assert_raises(Zlib::GzipFile::CRCError) do
+      ActiveSupport::Gzip.decompress(compressed)
+    end
+  end
 end