diff --git a/CVE-2021-22885.patch b/CVE-2021-22885.patch deleted file mode 100644 index a77cdaf..0000000 --- a/CVE-2021-22885.patch +++ /dev/null @@ -1,53 +0,0 @@ -From be6dd1c705551823db13b47ca76b0a6540e21135 Mon Sep 17 00:00:00 2001 -From: Gannon McGibbon -Date: Thu, 18 Feb 2021 13:17:08 -0500 -Subject: [PATCH] Prevent string polymorphic route arguments - -url_for supports building polymorphic URLs via an array -of arguments (usually symbols and records). If an array is passed, -strings can result in unwanted route helper calls. - -CVE-2021-22885 ---- - .../action_dispatch/routing/polymorphic_routes.rb | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb -index 6da869c..84b78e1 100644 ---- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb -+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb -@@ -288,10 +288,12 @@ module ActionDispatch - - args = [] - -- route = record_list.map { |parent| -+ route = record_list.map do |parent| - case parent -- when Symbol, String -+ when Symbol - parent.to_s -+ when String -+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.") - when Class - args << parent - parent.model_name.singular_route_key -@@ -299,12 +301,14 @@ module ActionDispatch - args << parent.to_model - parent.to_model.model_name.singular_route_key - end -- } -+ end - - route << - case record -- when Symbol, String -+ when Symbol - record.to_s -+ when String -+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.") - when Class - @key_strategy.call record.model_name - else --- -2.23.0 - diff --git a/CVE-2021-22904.patch b/CVE-2021-22904.patch deleted file mode 100644 index 99b5e3f..0000000 --- a/CVE-2021-22904.patch +++ /dev/null @@ -1,29 +0,0 @@ -From f97d14a056c9b6ec6bf46d24e0c04b4893e78d41 Mon Sep 17 00:00:00 2001 -From: Aaron Patterson -Date: Tue, 4 May 2021 15:49:21 -0700 -Subject: [PATCH] Prevent slow regex when parsing host authorization header - -The old regex could take too long when parsing an authorization header, -and this could potentially cause a DoS vulnerability - -[CVE-2021-22904] ---- - .../lib/action_controller/metal/http_authentication.rb | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb -index 01676f3..d2e6674 100644 ---- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb -+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb -@@ -406,7 +406,7 @@ module ActionController - module Token - TOKEN_KEY = "token=" - TOKEN_REGEX = /^(Token|Bearer)\s+/ -- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/ -+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ - extend self - - module ControllerMethods --- -2.23.0 - diff --git a/actionpack-5.2.4.4.gem b/actionpack-5.2.4.4.gem deleted file mode 100644 index 296ed5f..0000000 Binary files a/actionpack-5.2.4.4.gem and /dev/null differ diff --git a/actionpack-6.1.4.1-tests.txz b/actionpack-6.1.4.1-tests.txz new file mode 100644 index 0000000..7a25445 Binary files /dev/null and b/actionpack-6.1.4.1-tests.txz differ diff --git a/actionpack-6.1.4.1.gem b/actionpack-6.1.4.1.gem new file mode 100644 index 0000000..71aa9a7 Binary files /dev/null and b/actionpack-6.1.4.1.gem differ diff --git a/rails-6.1.4.1-tools.txz b/rails-6.1.4.1-tools.txz new file mode 100644 index 0000000..2a29578 Binary files /dev/null and b/rails-6.1.4.1-tools.txz differ diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index e7666dd..5b879ee 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -1,57 +1,79 @@ %global gem_name actionpack -%{?_with_bootstrap: %global bootstrap 1} -%global bootstrap 1 -Name: rubygem-%{gem_name} -Epoch: 1 -Version: 5.2.4.4 -Release: 3 -Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) -License: MIT -URL: http://rubyonrails.org -Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem -Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz -Patch0: CVE-2021-22885.patch -Patch1: CVE-2021-22904.patch +%bcond_with bootstrap -BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 -%if ! 0%{?bootstrap} -BuildRequires: rubygem(activemodel) = %{version} rubygem(activerecord) = %{version} -BuildRequires: rubygem(activesupport) = %{version} rubygem(actionview) = %{version} -BuildRequires: rubygem(railties) = %{version} rubygem(rack) rubygem(rack-cache) -BuildRequires: rubygem(rack-test) rubygem(puma) rubygem(capybara) >= 2.13.0 +Name: rubygem-%{gem_name} +Epoch: 1 +Version: 6.1.4.1 +Release: 1 +Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) +License: MIT +URL: http://rubyonrails.org +Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem +Source1: %{gem_name}-%{version}-tests.txz +Source2: rails-%{version}-tools.txz + +# Let's keep Requires and BuildRequires sorted alphabeticaly +BuildRequires: ruby(release) +BuildRequires: rubygems-devel +BuildRequires: ruby >= 2.2.2 +%if %{without bootstrap} +BuildRequires: rubygem(activemodel) = %{version} +BuildRequires: rubygem(activerecord) = %{version} +BuildRequires: rubygem(activesupport) = %{version} +BuildRequires: rubygem(actionview) = %{version} +BuildRequires: rubygem(railties) = %{version} +BuildRequires: rubygem(rack) +BuildRequires: rubygem(rack-cache) +BuildRequires: rubygem(rack-test) +BuildRequires: rubygem(puma) +BuildRequires: rubygem(capybara) >= 3.26 +BuildRequires: rubygem(selenium-webdriver) +BuildRequires: rubygem(rexml) %endif -BuildArch: noarch +BuildRequires: rubygem(did_you_mean) +BuildArch: noarch + %description Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser. -%package doc -Summary: Documentation for %{name} -Requires: %{name} = %{epoch}:%{version}-%{release} -BuildArch: noarch -%description doc +%package doc +Summary: Documentation for %{name} +Requires: %{name} = %{epoch}:%{version}-%{release} +BuildArch: noarch + +%description doc Documentation for %{name}. %prep -%setup -q -c -T -%gem_install -n %{SOURCE0} -%patch0 -p1 -%patch1 -p1 +%setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 %build +gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec +%gem_install %install mkdir -p %{buildroot}%{gem_dir} cp -a .%{gem_dir}/* \ %{buildroot}%{gem_dir}/ -%if ! 0%{?bootstrap} + +%if %{without bootstrap} %check pushd .%{gem_instdir} -tar xzvf %{SOURCE1} -cd rails-%{version}/%{gem_name} -ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)' +ln -s %{_builddir}/tools .. +cp -a %{_builddir}/test . +for tname in 'rendering a relative path with dot' 'rendering a relative path'; do + sed -i "/^\s* test \"$tname\" do/ a \ skip" \ + test/controller/new_base/render_file_test.rb +done + +sed -i '/\s*"browserName" => "\S*"\s*$/ d' test/dispatch/system_testing/driver_test.rb +find test -type f -name '*_test.rb' -print0 | \ + sort -z | \ + xargs -0 -n1 -i sh -c "echo '* Test file: {}'; ruby -Ilib:test -- '{}' || exit 255" + popd %endif @@ -68,6 +90,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Thu May 03 2022 wangkerong - 6.1.4.1-1 +- Upgrade to 6.1.4.1 + * Mon Jun 28 2021 wangyue - 5.2.4.4-3 - Fix CVE-2021-22904 diff --git a/v5.2.4.4.tar.gz b/v5.2.4.4.tar.gz deleted file mode 100644 index 6191daf..0000000 Binary files a/v5.2.4.4.tar.gz and /dev/null differ