Fix CVE-2024-41128 and CVE-2024-47887

backport-CVE-2024-41128.patch

@@ -0,0 +1,38 @@
+From b1241f468d1b32235f438c2e2203386e6efd3891 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:41:33 -0700
+Subject: [PATCH] Avoid backtracking in filtered_query_string
+
+Thanks scyoon for the patch
+
+CVE-2024-41128
+---
+ .../lib/action_dispatch/http/filter_parameters.rb   | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb
+index d053fc0b9f781..0e2e771da104d 100644
+--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb
++++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb
+@@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc:
+         ActiveSupport::ParameterFilter.new(filters)
+       end
+ 
+-      KV_RE   = "[^&;=]+"
+-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
+       def filtered_query_string # :doc:
+-        query_string.gsub(PAIR_RE) do |_|
+-          parameter_filter.filter($1 => $2).first.join("=")
++        parts = query_string.split(/([&;])/)
++        filtered_parts = parts.map do |part|
++          if part.include?("=")
++            key, value = part.split("=", 2)
++            parameter_filter.filter(key => value).first.join("=")
++          else
++            part
++          end
+         end
++        filtered_parts.join("")
+       end
+     end
+   end

backport-CVE-2024-47887.patch

@@ -0,0 +1,26 @@
+From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:32:00 -0700
+Subject: [PATCH] Avoid backtracking in Token#raw_params
+
+Thanks to scyoon for the patch
+
+[CVE-2024-47887]
+---
+ actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
+index 439ffd5c99490..e42791bbc23d8 100644
+--- a/actionpack/lib/action_controller/metal/http_authentication.rb
++++ b/actionpack/lib/action_controller/metal/http_authentication.rb
+@@ -506,7 +506,8 @@ def rewrite_param_values(array_params)
+       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
+       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
+       def raw_params(auth)
+-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
++        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
++        _raw_params.reject!(&:empty?)
+ 
+         if !_raw_params.first&.start_with?(TOKEN_KEY)
+           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

rubygem-actionpack.spec

@@ -4,7 +4,7 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	7.0.7
-Release: 	3
+Release: 	4
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@@ -29,6 +29,9 @@ Patch2: CVE-2024-26143-test.patch
 Patch3: CVE-2024-28103.patch
 Patch4: CVE-2024-28103-test.patch
 
+Patch3000:	backport-CVE-2024-41128.patch
+Patch3001:	backport-CVE-2024-47887.patch
+
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
 BuildRequires: 	rubygems-devel
@@ -68,6 +71,9 @@ Documentation for %{name}.
 %patch1 -p2
 %patch3 -p2
 
+%patch3000 -p2
+%patch3001 -p2
+
 pushd %{_builddir}
 %patch0 -p2
 %patch2 -p2
@@ -114,6 +120,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Fri Oct 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-4
+- Fix CVE-2024-41128 and CVE-2024-47887
+
 * Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-3
 - Fix CVE-2024-28103