fix CVE-2023-22797

modified: rubygem-actionpack.spec new file: CVE-2023-22797.patch modified: rubygem-actionpack.spec
2023-02-20 15:01:11 +08:00 · 2023-02-20 15:01:11 +08:00 · 3200f6f762
commit 3200f6f762
parent cb24e67e4c
2 changed files with 38 additions and 1 deletions
--- a/CVE-2023-22797.patch
+++ b/CVE-2023-22797.patch
@ -0,0 +1,32 @@
+From e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92 Mon Sep 17 00:00:00 2001
+From: wonda-tea-coffee <lagrange.resolvent@gmail.com>
+Date: Mon, 5 Dec 2022 12:27:15 +0000
+Subject: [PATCH] Fix sec issue with _url_host_allowed?
+
+Disallow certain strings from `_url_host_allowed?` to avoid a redirect
+to malicious sites.
+
+[CVE-2023-22797]
+---
+ .../action_controller/metal/redirecting.rb    |  6 ++-
+ actionpack/test/controller/redirect_test.rb   | 38 +++++++++++++++++++
+ 2 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
+index 721d5d3279..0ae6a48748 100644
+--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
+@@ -196,7 +196,11 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
+ 
+       def _url_host_allowed?(url)
+         host = URI(url.to_s).host
+-        host == request.host || host.nil? && url.to_s.start_with?("/")
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        return !url.to_s.start_with?("//")
+       rescue ArgumentError, URI::Error
+         false
+       end
+
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@ -4,7 +4,7 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	7.0.4
-Release: 	1
+Release: 	2
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@ -22,6 +22,7 @@ Source2: 	rails-%{version}-tools.txz
 # Fixes for Minitest 5.16+
 # https://github.com/rails/rails/pull/45370
 Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
+Patch1: CVE-2023-22797.patch

 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@ -59,6 +60,7 @@ Documentation for %{name}.

 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
+%patch1 -p2

 pushd %{_builddir}
 %patch0 -p2
@ -104,6 +106,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Mon Feb 20 2023 jiangpeng <jiangpeng01@ncti-gba.cn> - 1:7.0.4-2
+- Fix CVE-2023-22797
+
 * Fri Jan 20 2023 wangkai <wangkai385@h-partners.com> - 1:7.0.4-1
 - Upgrade to version 7.0.4