packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-22797

Browse Source 
modified:   rubygem-actionpack.spec

	new file:   CVE-2023-22797.patch
	modified:   rubygem-actionpack.spec
This commit is contained in:
peng2285 2023-02-20 15:01:11 +08:00
parent cb24e67e4c
commit 3200f6f762
2 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
CVE-2023-22797.patch Normal file
View File

@ -0,0 +1,32 @@
From e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92 Mon Sep 17 00:00:00 2001
From: wonda-tea-coffee <lagrange.resolvent@gmail.com>
Date: Mon, 5 Dec 2022 12:27:15 +0000
Subject: [PATCH] Fix sec issue with _url_host_allowed?
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
to malicious sites.
[CVE-2023-22797]
---
.../action_controller/metal/redirecting.rb | 6 ++-
actionpack/test/controller/redirect_test.rb | 38 +++++++++++++++++++
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
index 721d5d3279..0ae6a48748 100644
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -196,7 +196,11 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
def _url_host_allowed?(url)
host = URI(url.to_s).host
- host == request.host || host.nil? && url.to_s.start_with?("/")
+
+ return true if host == request.host
+ return false unless host.nil?
+ return false unless url.to_s.start_with?("/")
+ return !url.to_s.start_with?("//")
rescue ArgumentError, URI::Error
false
end

7
rubygem-actionpack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 7.0.4 Version: 7.0.4
Release: 1 Release: 2
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -22,6 +22,7 @@ Source2: rails-%{version}-tools.txz
# Fixes for Minitest 5.16+ # Fixes for Minitest 5.16+
# https://github.com/rails/rails/pull/45370 # https://github.com/rails/rails/pull/45370
Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
Patch1: CVE-2023-22797.patch
# Let's keep Requires and BuildRequires sorted alphabeticaly # Let's keep Requires and BuildRequires sorted alphabeticaly
BuildRequires: ruby(release) BuildRequires: ruby(release)
@ -59,6 +60,7 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
%patch1 -p2
pushd %{_builddir} pushd %{_builddir}
%patch0 -p2 %patch0 -p2
@ -104,6 +106,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Mon Feb 20 2023 jiangpeng <jiangpeng01@ncti-gba.cn> - 1:7.0.4-2
- Fix CVE-2023-22797
* Fri Jan 20 2023 wangkai <wangkai385@h-partners.com> - 1:7.0.4-1 * Fri Jan 20 2023 wangkai <wangkai385@h-partners.com> - 1:7.0.4-1
- Upgrade to version 7.0.4 - Upgrade to version 7.0.4