From 57fc328fa79450055d833fd5489f895a771dd638 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Thu, 6 Jun 2024 09:46:38 +0800 Subject: [PATCH] Fix CVE-2024-28103 (cherry picked from commit b0e03059a0a8f3caed107c4efe7d770bfa9b533a) --- CVE-2024-28103-test.patch | 62 +++++++++++++++++++++++++++++++++++++++ CVE-2024-28103.patch | 43 +++++++++++++++++++++++++++ rubygem-actionpack.spec | 10 ++++++- 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-28103-test.patch create mode 100644 CVE-2024-28103.patch diff --git a/CVE-2024-28103-test.patch b/CVE-2024-28103-test.patch new file mode 100644 index 0000000..308047d --- /dev/null +++ b/CVE-2024-28103-test.patch @@ -0,0 +1,62 @@ +diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb +index 030e37942bd0e..533b59a55094d 100644 +--- a/actionpack/test/dispatch/permissions_policy_test.rb ++++ b/actionpack/test/dispatch/permissions_policy_test.rb +@@ -41,6 +41,57 @@ def test_invalid_directive_source + end + end + ++class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest ++ APP = ->(env) { [200, {}, []] } ++ ++ POLICY = ActionDispatch::PermissionsPolicy.new do |p| ++ p.gyroscope :self ++ end ++ ++ class PolicyConfigMiddleware ++ def initialize(app) ++ @app = app ++ end ++ ++ def call(env) ++ env["action_dispatch.permissions_policy"] = POLICY ++ env["action_dispatch.show_exceptions"] = :none ++ ++ @app.call(env) ++ end ++ end ++ ++ test "html requests will set a policy" do ++ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] }) ++ # Dummy CONTENT_TYPE to avoid including backport of the following commit in ++ # a security-related patch: ++ # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625 ++ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' } ++ ++ assert_equal "text/html", response.headers['Content-Type'] ++ assert_equal "gyroscope 'self'", response.headers['Feature-Policy'] ++ end ++ ++ test "non-html requests will set a policy" do ++ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] }) ++ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' } ++ ++ assert_equal "application/json", response.headers['Content-Type'] ++ assert_equal "gyroscope 'self'", response.headers['Feature-Policy'] ++ end ++ ++ private ++ def build_app(app) ++ PolicyConfigMiddleware.new( ++ Rack::Lint.new( ++ ActionDispatch::PermissionsPolicy::Middleware.new( ++ Rack::Lint.new(app), ++ ), ++ ), ++ ) ++ end ++end ++ + class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest + class PolicyController < ActionController::Base + permissions_policy only: :index do |f| diff --git a/CVE-2024-28103.patch b/CVE-2024-28103.patch new file mode 100644 index 0000000..0eb4699 --- /dev/null +++ b/CVE-2024-28103.patch @@ -0,0 +1,43 @@ +From b84cbecacd114102e1884a6169388d7cb7ea325d Mon Sep 17 00:00:00 2001 +From: Zack Deveau +Date: Wed, 28 Feb 2024 16:49:11 -0500 +Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types + +[CVE-2024-28103] +The application configurable Permissions-Policy is only +served on responses with an HTML related Content-Type. + +This change allows all Content-Types to serve the +configured Permissions-Policy as there are many non-HTML +Content-Types that would benefit from this header. +(examples include image/svg+xml and application/xml) +--- + .../http/permissions_policy.rb | 7 --- + .../test/dispatch/permissions_policy_test.rb | 51 +++++++++++++++++++ + 2 files changed, 51 insertions(+), 7 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb +index 5666ad0acb006..6ec9087e37bd9 100644 +--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb ++++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb +@@ -37,7 +37,6 @@ def call(env) + request = ActionDispatch::Request.new(env) + _, headers, _ = response = @app.call(env) + +- return response unless html_response?(headers) + return response if policy_present?(headers) + + if policy = request.permissions_policy +@@ -52,12 +51,6 @@ def call(env) + end + + private +- def html_response?(headers) +- if content_type = headers[CONTENT_TYPE] +- /html/.match?(content_type) +- end +- end +- + def policy_present?(headers) + headers[POLICY] + end diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index 456b293..c9bb637 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 7.0.7 -Release: 2 +Release: 3 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -25,6 +25,9 @@ Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch # https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc Patch1: CVE-2024-26143.patch Patch2: CVE-2024-26143-test.patch +# https://github.com/rails/rails/commit/b84cbecacd114102e1884a6169388d7cb7ea325d +Patch3: CVE-2024-28103.patch +Patch4: CVE-2024-28103-test.patch # Let's keep Requires and BuildRequires sorted alphabeticaly BuildRequires: ruby(release) @@ -63,10 +66,12 @@ Documentation for %{name}. %prep %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 %patch1 -p2 +%patch3 -p2 pushd %{_builddir} %patch0 -p2 %patch2 -p2 +%patch4 -p2 popd %build @@ -109,6 +114,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Thu Jun 06 2024 yaoxin - 1:7.0.7-3 +- Fix CVE-2024-28103 + * Wed Feb 28 2024 yaoxin - 1:7.0.7-2 - Fix CVE-2024-26143 and remove unused file