!42 Upgrade to version 7.0.7

From: @chen-jan 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2023-22797.patch

@@ -1,32 +0,0 @@
-From e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92 Mon Sep 17 00:00:00 2001
-From: wonda-tea-coffee <lagrange.resolvent@gmail.com>
-Date: Mon, 5 Dec 2022 12:27:15 +0000
-Subject: [PATCH] Fix sec issue with _url_host_allowed?
-
-Disallow certain strings from `_url_host_allowed?` to avoid a redirect
-to malicious sites.
-
-[CVE-2023-22797]
----
- .../action_controller/metal/redirecting.rb    |  6 ++-
- actionpack/test/controller/redirect_test.rb   | 38 +++++++++++++++++++
- 2 files changed, 43 insertions(+), 1 deletion(-)
-
-diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
-index 721d5d3279..0ae6a48748 100644
---- a/actionpack/lib/action_controller/metal/redirecting.rb
-+++ b/actionpack/lib/action_controller/metal/redirecting.rb
-@@ -196,7 +196,11 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
- 
-       def _url_host_allowed?(url)
-         host = URI(url.to_s).host
--        host == request.host || host.nil? && url.to_s.start_with?("/")
-+
-+        return true if host == request.host
-+        return false unless host.nil?
-+        return false unless url.to_s.start_with?("/")
-+        return !url.to_s.start_with?("//")
-       rescue ArgumentError, URI::Error
-         false
-       end
-

CVE-2023-28362-test.patch

@@ -1,38 +0,0 @@
-diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
-index 91a8f8512b..40bd8d68da 100644
---- a/actionpack/test/controller/redirect_test.rb
-+++ b/actionpack/test/controller/redirect_test.rb
-@@ -104,6 +104,10 @@ def unsafe_redirect_protocol_relative_triple_slash
-     redirect_to "http:///www.rubyonrails.org/"
-   end
- 
-+  def unsafe_redirect_with_illegal_http_header_value_character
-+    redirect_to "javascript:alert(document.domain)\b", allow_other_host: true
-+  end
-+
-   def only_path_redirect
-     redirect_to action: "other_host", only_path: true
-   end
-@@ -556,6 +560,19 @@ def test_unsafe_redirect_with_protocol_relative_triple_slash_url
-     end
-   end
- 
-+  def test_unsafe_redirect_with_illegal_http_header_value_character
-+    with_raise_on_open_redirects do
-+      error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
-+        get :unsafe_redirect_with_illegal_http_header_value_character
-+      end
-+
-+      msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \
-+        "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
-+
-+      assert_equal msg, error.message
-+    end
-+  end
-+
-   def test_only_path_redirect
-     with_raise_on_open_redirects do
-       get :only_path_redirect
--- 
-2.39.2
-

CVE-2023-28362.patch

@@ -1,70 +0,0 @@
-From 6d3e49f128c2db4cb157e058effe07781b0a66e4 Mon Sep 17 00:00:00 2001
-From: Zack Deveau <zack.ref@gmail.com>
-Date: Thu, 11 May 2023 16:55:01 -0400
-Subject: [PATCH] Added check for illegal HTTP header value in redirect_to
-
-The set of legal characters for an HTTP header value is described
-in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6.
-
-This commit adds a check to redirect_to that ensures the
-provided URL does not contain any of the illegal characters.
-
-Downstream consumers of the resulting Location response header
-may remove the header if it does not comply with the RFC.
-This can result in a cross site scripting (XSS) vector by
-allowing for the redirection page to sit idle waiting
-for user interaction with the provided malicious link.
-
-[CVE-2023-28362]
-
-Origin: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
-
-format
----
- .../action_controller/metal/redirecting.rb    | 19 ++++++++++++++++++-
- actionpack/test/controller/redirect_test.rb   | 17 +++++++++++++++++
- 2 files changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
-index 0409ba7026..830b94c092 100644
---- a/actionpack/lib/action_controller/metal/redirecting.rb
-+++ b/actionpack/lib/action_controller/metal/redirecting.rb
-@@ -4,6 +4,8 @@ module ActionController
-   module Redirecting
-     extend ActiveSupport::Concern
- 
-+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
-+
-     include AbstractController::Logger
-     include ActionController::UrlFor
- 
-@@ -86,7 +88,11 @@ def redirect_to(options = {}, response_options = {})
-       allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
- 
-       self.status        = _extract_redirect_to_status(options, response_options)
--      self.location      = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host)
-+
-+      redirect_to_location = _compute_redirect_to_location(request, options)
-+      _ensure_url_is_http_header_safe(redirect_to_location)
-+
-+      self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
-       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
-     end
- 
-@@ -204,5 +210,16 @@ def _url_host_allowed?(url)
-       rescue ArgumentError, URI::Error
-         false
-       end
-+
-+      def _ensure_url_is_http_header_safe(url)
-+        # Attempt to comply with the set of valid token characters
-+        # defined for an HTTP header value in
-+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
-+        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
-+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
-+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
-+          raise UnsafeRedirectError, msg
-+        end
-+      end
-   end
- end

rubygem-actionpack.spec

@@ -3,8 +3,8 @@
 
 Name:		rubygem-%{gem_name}
 Epoch:		1
-Version:	7.0.4
+Version:	7.0.7
-Release: 	3
+Release: 	1
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@@ -12,19 +12,16 @@ Source0: 	https://rubygems.org/gems/%{gem_name}-%{version}.gem
 # ActionPack gem doesn't ship with the test suite.
 # You may check it out like so
 # git clone http://github.com/rails/rails.git
-# cd rails/actionpack && git archive -v -o actionpack-7.0.4-tests.txz v7.0.4 test/
+# cd rails/actionpack && git archive -v -o actionpack-7.0.7-tests.txz v7.0.7 test/
 Source1: 	%{gem_name}-%{version}-tests.txz
 # The tools are needed for the test suite, are however unpackaged in gem file.
 # You may get them like so
 # git clone http://github.com/rails/rails.git --no-checkout
-# cd rails && git archive -v -o rails-7.0.4-tools.txz v7.0.4 tools/
+# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
 Source2: 	rails-%{version}-tools.txz
 # Fixes for Minitest 5.16+
 # https://github.com/rails/rails/pull/45370
 Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
-Patch1: CVE-2023-22797.patch
-Patch2: CVE-2023-28362.patch
-Patch3: CVE-2023-28362-test.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@@ -62,12 +59,9 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
-%patch1 -p2
-%patch2 -p2
 
 pushd %{_builddir}
 %patch0 -p2
-%patch3 -p2
 popd
 
 %build
@@ -110,6 +104,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Fri Aug 18 2023 chenchen <chen_aka_jan@163.com> - 1:7.0.7-1
+- Upgrade to version 7.0.7
+
 * Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:7.0.4-3
 - Fix CVE-2023-28362