!14 Fix CVE-2021-22904

From: @wang_yue111 Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-06-28 07:11:59 +00:00 · 2021-06-28 07:11:59 +00:00 · c69ec1532d
commit c69ec1532d
parent 4ef76b5010 0bf2113689
2 changed files with 36 additions and 1 deletions
--- a/CVE-2021-22904.patch
+++ b/CVE-2021-22904.patch
@ -0,0 +1,29 @@
+From f97d14a056c9b6ec6bf46d24e0c04b4893e78d41 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 4 May 2021 15:49:21 -0700
+Subject: [PATCH] Prevent slow regex when parsing host authorization header
+
+The old regex could take too long when parsing an authorization header,
+and this could potentially cause a DoS vulnerability
+
+[CVE-2021-22904]
+---
+ .../lib/action_controller/metal/http_authentication.rb          | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+index 01676f3..d2e6674 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+@@ -406,7 +406,7 @@ module ActionController
+     module Token
+       TOKEN_KEY = "token="
+       TOKEN_REGEX = /^(Token|Bearer)\s+/
+-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
+       extend self
+ 
+       module ControllerMethods
+-- 
+2.23.0
+
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@ -4,13 +4,15 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             2
+Release:             3
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
 Patch0:              CVE-2021-22885.patch
+Patch1:              CVE-2021-22904.patch
+
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(activemodel) = %{version} rubygem(activerecord) = %{version}
@ -35,6 +37,7 @@ Documentation for %{name}.
 %setup -q -c -T
 %gem_install -n %{SOURCE0}
 %patch0 -p1
+%patch1 -p1

 %build

@ -65,6 +68,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Mon Jun 28 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-3
+- Fix CVE-2021-22904
+
 * Fri Jun 11 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-2
 - Fix CVE-2021-22885