packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!14 Fix CVE-2021-22904

Browse Source 
From: @wang_yue111
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-06-28 07:11:59 +00:00 committed by Gitee
commit c69ec1532d
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
CVE-2021-22904.patch Normal file
View File

@ -0,0 +1,29 @@
From f97d14a056c9b6ec6bf46d24e0c04b4893e78d41 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 4 May 2021 15:49:21 -0700
Subject: [PATCH] Prevent slow regex when parsing host authorization header
The old regex could take too long when parsing an authorization header,
and this could potentially cause a DoS vulnerability
[CVE-2021-22904]
---
.../lib/action_controller/metal/http_authentication.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
index 01676f3..d2e6674 100644
--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
@@ -406,7 +406,7 @@ module ActionController
module Token
TOKEN_KEY = "token="
TOKEN_REGEX = /^(Token|Bearer)\s+/
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
extend self
module ControllerMethods
--
2.23.0

8
rubygem-actionpack.spec
View File

@ -4,13 +4,15 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 5.2.4.4 Version: 5.2.4.4
Release: 2 Release: 3
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
Patch0: CVE-2021-22885.patch Patch0: CVE-2021-22885.patch
Patch1: CVE-2021-22904.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
%if ! 0%{?bootstrap} %if ! 0%{?bootstrap}
BuildRequires: rubygem(activemodel) = %{version} rubygem(activerecord) = %{version} BuildRequires: rubygem(activemodel) = %{version} rubygem(activerecord) = %{version}
@ -35,6 +37,7 @@ Documentation for %{name}.
%setup -q -c -T %setup -q -c -T
%gem_install -n %{SOURCE0} %gem_install -n %{SOURCE0}
%patch0 -p1 %patch0 -p1
%patch1 -p1
%build %build
@ -65,6 +68,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Mon Jun 28 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-3
- Fix CVE-2021-22904
* Fri Jun 11 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-2 * Fri Jun 11 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-2
- Fix CVE-2021-22885 - Fix CVE-2021-22885