Fix CVE-2024-28103

(cherry picked from commit b0e03059a0a8f3caed107c4efe7d770bfa9b533a)
2024-06-06 09:46:38 +08:00 · 2024-06-06 09:46:38 +08:00 · 57fc328fa7
commit 57fc328fa7
parent 6cb323c2b0
3 changed files with 114 additions and 1 deletions
--- a/CVE-2024-28103-test.patch
+++ b/CVE-2024-28103-test.patch
@ -0,0 +1,62 @@
+diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb
+index 030e37942bd0e..533b59a55094d 100644
+--- a/actionpack/test/dispatch/permissions_policy_test.rb
+++ b/actionpack/test/dispatch/permissions_policy_test.rb
+@@ -41,6 +41,57 @@ def test_invalid_directive_source
+   end
+ end
+ 
+class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest
+  APP = ->(env) { [200, {}, []] }
+
+  POLICY = ActionDispatch::PermissionsPolicy.new do |p|
+    p.gyroscope :self
+  end
+
+  class PolicyConfigMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      env["action_dispatch.permissions_policy"] = POLICY
+      env["action_dispatch.show_exceptions"] = :none
+
+      @app.call(env)
+    end
+  end
+
+  test "html requests will set a policy" do
+    @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] })
+    # Dummy CONTENT_TYPE to avoid including backport of the following commit in
+    # a security-related patch:
+    # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625
+    get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+    assert_equal "text/html", response.headers['Content-Type']
+    assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+  end
+
+  test "non-html requests will set a policy" do
+    @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
+    get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+    assert_equal "application/json", response.headers['Content-Type']
+    assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+  end
+
+  private
+    def build_app(app)
+      PolicyConfigMiddleware.new(
+        Rack::Lint.new(
+          ActionDispatch::PermissionsPolicy::Middleware.new(
+            Rack::Lint.new(app),
+          ),
+        ),
+      )
+    end
+end
+
+ class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest
+   class PolicyController < ActionController::Base
+     permissions_policy only: :index do |f|
--- a/CVE-2024-28103.patch
+++ b/CVE-2024-28103.patch
@ -0,0 +1,43 @@
+From b84cbecacd114102e1884a6169388d7cb7ea325d Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Wed, 28 Feb 2024 16:49:11 -0500
+Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types
+
+[CVE-2024-28103]
+The application configurable Permissions-Policy is only
+served on responses with an HTML related Content-Type.
+
+This change allows all Content-Types to serve the
+configured Permissions-Policy as there are many non-HTML
+Content-Types that would benefit from this header.
+(examples include image/svg+xml and application/xml)
+---
+ .../http/permissions_policy.rb                |  7 ---
+ .../test/dispatch/permissions_policy_test.rb  | 51 +++++++++++++++++++
+ 2 files changed, 51 insertions(+), 7 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb
+index 5666ad0acb006..6ec9087e37bd9 100644
+--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb
+++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb
+@@ -37,7 +37,6 @@ def call(env)
+         request = ActionDispatch::Request.new(env)
+         _, headers, _ = response = @app.call(env)
+ 
+-        return response unless html_response?(headers)
+         return response if policy_present?(headers)
+ 
+         if policy = request.permissions_policy
+@@ -52,12 +51,6 @@ def call(env)
+       end
+ 
+       private
+-        def html_response?(headers)
+-          if content_type = headers[CONTENT_TYPE]
+-            /html/.match?(content_type)
+-          end
+-        end
+-
+         def policy_present?(headers)
+           headers[POLICY]
+         end
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@ -4,7 +4,7 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	7.0.7
-Release: 	2
+Release: 	3
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@ -25,6 +25,9 @@ Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
 # https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
 Patch1: CVE-2024-26143.patch
 Patch2: CVE-2024-26143-test.patch
+# https://github.com/rails/rails/commit/b84cbecacd114102e1884a6169388d7cb7ea325d
+Patch3: CVE-2024-28103.patch
+Patch4: CVE-2024-28103-test.patch

 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@ -63,10 +66,12 @@ Documentation for %{name}.
 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
 %patch1 -p2
+%patch3 -p2

 pushd %{_builddir}
 %patch0 -p2
 %patch2 -p2
+%patch4 -p2
 popd

 %build
@ -109,6 +114,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-3
+- Fix CVE-2024-28103
+
 * Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2
 - Fix CVE-2024-26143 and remove unused file