packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!8 Fix CVE-2021-22885

Browse Source 
From: @wang_yue111
Reviewed-by: @shinwell_hu
Signed-off-by: @shinwell_hu
This commit is contained in:
openeuler-ci-bot 2021-06-11 09:12:06 +00:00 committed by Gitee
commit 4ef76b5010
2 changed files with 60 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2021-22885.patch Normal file
View File

@ -0,0 +1,53 @@
From be6dd1c705551823db13b47ca76b0a6540e21135 Mon Sep 17 00:00:00 2001
From: Gannon McGibbon <gannon.mcgibbon@shopify.com>
Date: Thu, 18 Feb 2021 13:17:08 -0500
Subject: [PATCH] Prevent string polymorphic route arguments
url_for supports building polymorphic URLs via an array
of arguments (usually symbols and records). If an array is passed,
strings can result in unwanted route helper calls.
CVE-2021-22885
---
.../action_dispatch/routing/polymorphic_routes.rb | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
index 6da869c..84b78e1 100644
--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
@@ -288,10 +288,12 @@ module ActionDispatch
args = []
- route = record_list.map { |parent|
+ route = record_list.map do |parent|
case parent
- when Symbol, String
+ when Symbol
parent.to_s
+ when String
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
when Class
args << parent
parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
args << parent.to_model
parent.to_model.model_name.singular_route_key
end
- }
+ end
route <<
case record
- when Symbol, String
+ when Symbol
record.to_s
+ when String
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
when Class
@key_strategy.call record.model_name
else
--
2.23.0

9
rubygem-actionpack.spec
View File

@ -4,12 +4,13 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 5.2.4.4 Version: 5.2.4.4
Release: 1 Release: 2
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
Patch0: CVE-2021-22885.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
%if ! 0%{?bootstrap} %if ! 0%{?bootstrap}
BuildRequires: rubygem(activemodel) = %{version} rubygem(activerecord) = %{version} BuildRequires: rubygem(activemodel) = %{version} rubygem(activerecord) = %{version}
@ -33,6 +34,7 @@ Documentation for %{name}.
%prep %prep
%setup -q -c -T %setup -q -c -T
%gem_install -n %{SOURCE0} %gem_install -n %{SOURCE0}
%patch0 -p1
%build %build
@ -63,7 +65,10 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Mon Feb 8 2021sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1 * Fri Jun 11 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-2
- Fix CVE-2021-22885
* Mon Feb 8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
- Upgrade to 5.2.4.4 - Upgrade to 5.2.4.4
* Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1 * Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1