packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!67 Fix CVE-2024-41128 and CVE-2024-47887

Browse Source 
From: @starlet-dx 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-10-18 01:35:41 +00:00 committed by Gitee
commit 11c1f79ad0
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 74 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
backport-CVE-2024-41128.patch Normal file
View File

@ -0,0 +1,38 @@
From b1241f468d1b32235f438c2e2203386e6efd3891 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:41:33 -0700
Subject: [PATCH] Avoid backtracking in filtered_query_string
Thanks scyoon for the patch
CVE-2024-41128
---
.../lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb
index d053fc0b9f781..0e2e771da104d 100644
--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb
+++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb
@@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc:
ActiveSupport::ParameterFilter.new(filters)
end
- KV_RE = "[^&;=]+"
- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
def filtered_query_string # :doc:
- query_string.gsub(PAIR_RE) do |_|
- parameter_filter.filter($1 => $2).first.join("=")
+ parts = query_string.split(/([&;])/)
+ filtered_parts = parts.map do |part|
+ if part.include?("=")
+ key, value = part.split("=", 2)
+ parameter_filter.filter(key => value).first.join("=")
+ else
+ part
+ end
end
+ filtered_parts.join("")
end
end
end

26
backport-CVE-2024-47887.patch Normal file
View File

@ -0,0 +1,26 @@
From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:32:00 -0700
Subject: [PATCH] Avoid backtracking in Token#raw_params
Thanks to scyoon for the patch
[CVE-2024-47887]
---
actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 439ffd5c99490..e42791bbc23d8 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -506,7 +506,8 @@ def rewrite_param_values(array_params)
# pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
# delimiters defined in +AUTHN_PAIR_DELIMITERS+.
def raw_params(auth)
- _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
+ _raw_params.reject!(&:empty?)
if !_raw_params.first&.start_with?(TOKEN_KEY)
_raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

11
rubygem-actionpack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name}
Epoch: 1
Version: 7.0.7
Release: 3
Release: 4
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT
URL: http://rubyonrails.org
@ -29,6 +29,9 @@ Patch2: CVE-2024-26143-test.patch
Patch3: CVE-2024-28103.patch
Patch4: CVE-2024-28103-test.patch
Patch3000: backport-CVE-2024-41128.patch
Patch3001: backport-CVE-2024-47887.patch
# Let's keep Requires and BuildRequires sorted alphabeticaly
BuildRequires: ruby(release)
BuildRequires: rubygems-devel
@ -68,6 +71,9 @@ Documentation for %{name}.
%patch1 -p2
%patch3 -p2
%patch3000 -p2
%patch3001 -p2
pushd %{_builddir}
%patch0 -p2
%patch2 -p2
@ -114,6 +120,9 @@ popd
%doc %{gem_instdir}/README.rdoc
%changelog
* Fri Oct 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-4
- Fix CVE-2024-41128 and CVE-2024-47887
* Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-3
- Fix CVE-2024-28103