!72 fix: %patchN is deprecated (2 usages found), use %patch N (or %patch -P N)

From: @xugmin 
Reviewed-by: @shinwell_hu 
Signed-off-by: @shinwell_hu

CVE-2023-22797.patch

@@ -1,32 +0,0 @@
-From e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92 Mon Sep 17 00:00:00 2001
-From: wonda-tea-coffee <lagrange.resolvent@gmail.com>
-Date: Mon, 5 Dec 2022 12:27:15 +0000
-Subject: [PATCH] Fix sec issue with _url_host_allowed?
-
-Disallow certain strings from `_url_host_allowed?` to avoid a redirect
-to malicious sites.
-
-[CVE-2023-22797]
----
- .../action_controller/metal/redirecting.rb    |  6 ++-
- actionpack/test/controller/redirect_test.rb   | 38 +++++++++++++++++++
- 2 files changed, 43 insertions(+), 1 deletion(-)
-
-diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
-index 721d5d3279..0ae6a48748 100644
---- a/actionpack/lib/action_controller/metal/redirecting.rb
-+++ b/actionpack/lib/action_controller/metal/redirecting.rb
-@@ -196,7 +196,11 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
- 
-       def _url_host_allowed?(url)
-         host = URI(url.to_s).host
--        host == request.host || host.nil? && url.to_s.start_with?("/")
-+
-+        return true if host == request.host
-+        return false unless host.nil?
-+        return false unless url.to_s.start_with?("/")
-+        return !url.to_s.start_with?("//")
-       rescue ArgumentError, URI::Error
-         false
-       end
-

CVE-2023-28362-test.patch

@@ -1,38 +0,0 @@
-diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
-index 91a8f8512b..40bd8d68da 100644
---- a/actionpack/test/controller/redirect_test.rb
-+++ b/actionpack/test/controller/redirect_test.rb
-@@ -104,6 +104,10 @@ def unsafe_redirect_protocol_relative_triple_slash
-     redirect_to "http:///www.rubyonrails.org/"
-   end
- 
-+  def unsafe_redirect_with_illegal_http_header_value_character
-+    redirect_to "javascript:alert(document.domain)\b", allow_other_host: true
-+  end
-+
-   def only_path_redirect
-     redirect_to action: "other_host", only_path: true
-   end
-@@ -556,6 +560,19 @@ def test_unsafe_redirect_with_protocol_relative_triple_slash_url
-     end
-   end
- 
-+  def test_unsafe_redirect_with_illegal_http_header_value_character
-+    with_raise_on_open_redirects do
-+      error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
-+        get :unsafe_redirect_with_illegal_http_header_value_character
-+      end
-+
-+      msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \
-+        "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
-+
-+      assert_equal msg, error.message
-+    end
-+  end
-+
-   def test_only_path_redirect
-     with_raise_on_open_redirects do
-       get :only_path_redirect
--- 
-2.39.2
-

CVE-2023-28362.patch

@@ -1,70 +0,0 @@
-From 6d3e49f128c2db4cb157e058effe07781b0a66e4 Mon Sep 17 00:00:00 2001
-From: Zack Deveau <zack.ref@gmail.com>
-Date: Thu, 11 May 2023 16:55:01 -0400
-Subject: [PATCH] Added check for illegal HTTP header value in redirect_to
-
-The set of legal characters for an HTTP header value is described
-in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6.
-
-This commit adds a check to redirect_to that ensures the
-provided URL does not contain any of the illegal characters.
-
-Downstream consumers of the resulting Location response header
-may remove the header if it does not comply with the RFC.
-This can result in a cross site scripting (XSS) vector by
-allowing for the redirection page to sit idle waiting
-for user interaction with the provided malicious link.
-
-[CVE-2023-28362]
-
-Origin: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
-
-format
----
- .../action_controller/metal/redirecting.rb    | 19 ++++++++++++++++++-
- actionpack/test/controller/redirect_test.rb   | 17 +++++++++++++++++
- 2 files changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
-index 0409ba7026..830b94c092 100644
---- a/actionpack/lib/action_controller/metal/redirecting.rb
-+++ b/actionpack/lib/action_controller/metal/redirecting.rb
-@@ -4,6 +4,8 @@ module ActionController
-   module Redirecting
-     extend ActiveSupport::Concern
- 
-+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
-+
-     include AbstractController::Logger
-     include ActionController::UrlFor
- 
-@@ -86,7 +88,11 @@ def redirect_to(options = {}, response_options = {})
-       allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
- 
-       self.status        = _extract_redirect_to_status(options, response_options)
--      self.location      = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host)
-+
-+      redirect_to_location = _compute_redirect_to_location(request, options)
-+      _ensure_url_is_http_header_safe(redirect_to_location)
-+
-+      self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
-       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
-     end
- 
-@@ -204,5 +210,16 @@ def _url_host_allowed?(url)
-       rescue ArgumentError, URI::Error
-         false
-       end
-+
-+      def _ensure_url_is_http_header_safe(url)
-+        # Attempt to comply with the set of valid token characters
-+        # defined for an HTTP header value in
-+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
-+        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
-+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
-+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
-+          raise UnsafeRedirectError, msg
-+        end
-+      end
-   end
- end

CVE-2024-26143-test.patch

@@ -0,0 +1,49 @@
+diff --git a/actionpack/test/abstract/translation_test.rb b/actionpack/test/abstract/translation_test.rb
+index 1c0b51c4ed2fc..eca90040c8ca7 100644
+--- a/actionpack/test/abstract/translation_test.rb
++++ b/actionpack/test/abstract/translation_test.rb
+@@ -93,6 +93,22 @@ def test_default_translation
+         end
+       end
+ 
++      def test_default_translation_as_safe_html
++        @controller.stub :action_name, :index do
++          translation = @controller.t(".twoz", default: ["<tag>"])
++          assert_equal "&lt;tag&gt;", translation
++          assert_equal true, translation.html_safe?
++        end
++      end
++
++      def test_default_translation_with_raise_as_safe_html
++        @controller.stub :action_name, :index do
++          translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
++          assert_equal "&lt;tag&gt;", translation
++          assert_equal true, translation.html_safe?
++        end
++      end
++
+       def test_localize
+         time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
+         I18n.stub :localize, expected do
+@@ -136,6 +152,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
+           assert_equal true, translation.html_safe?
+         end
+       end
++
++      def test_translate_marks_translation_with_missing_html_key_as_safe_html
++        @controller.stub :action_name, :index do
++          translation = @controller.t("<tag>.html")
++          assert_equal "translation missing: <tag>.html", translation
++          assert_equal false, translation.html_safe?
++        end
++      end
++      def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
++        @controller.stub :action_name, :index do
++          translation = @controller.t(".<tag>.html")
++          assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
++          assert_equal false, translation.html_safe?
++        end
++      end
+     end
+   end
+ end

CVE-2024-26143.patch

@@ -0,0 +1,53 @@
+From 4c83b331092a79d58e4adffe4be5f250fa5782cc Mon Sep 17 00:00:00 2001
+From: ooooooo_q <ooooooo-q@users.noreply.github.com>
+Date: Fri, 5 Jan 2024 12:00:02 +0900
+Subject: [PATCH] fix XSS vulnerability when using translation
+
+[CVE-2024-26143]
+---
+ actionpack/CHANGELOG.md                       |  4 +++
+ .../lib/abstract_controller/translation.rb    | 24 +++++++++++++-
+ actionpack/test/abstract/translation_test.rb  | 31 +++++++++++++++++++
+ 3 files changed, 58 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/abstract_controller/translation.rb b/actionpack/lib/abstract_controller/translation.rb
+index db71c172abd6c..bdd44c6893aa2 100644
+--- a/actionpack/lib/abstract_controller/translation.rb
++++ b/actionpack/lib/abstract_controller/translation.rb
+@@ -25,7 +25,25 @@ def translate(key, **options)
+ 
+       i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
+ 
+-      ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
++      if options[:default]
++        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
++        options[:default] = options[:default].map do |value|
++          value.is_a?(String) ? ERB::Util.html_escape(value) : value
++        end
++      end
++
++      unless i18n_raise
++        options[:default] = [] unless options[:default]
++        options[:default] << MISSING_TRANSLATION
++      end
++
++      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
++
++      if result == MISSING_TRANSLATION
++        +"translation missing: #{key}"
++      else
++        result
++      end
+     end
+     alias :t :translate
+ 
+@@ -34,5 +52,9 @@ def localize(object, **options)
+       I18n.localize(object, **options)
+     end
+     alias :l :localize
++
++    private
++      MISSING_TRANSLATION = -(2**60)
++      private_constant :MISSING_TRANSLATION
+   end
+ end

CVE-2024-28103-test.patch

@@ -0,0 +1,62 @@
+diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb
+index 030e37942bd0e..533b59a55094d 100644
+--- a/actionpack/test/dispatch/permissions_policy_test.rb
++++ b/actionpack/test/dispatch/permissions_policy_test.rb
+@@ -41,6 +41,57 @@ def test_invalid_directive_source
+   end
+ end
+ 
++class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest
++  APP = ->(env) { [200, {}, []] }
++
++  POLICY = ActionDispatch::PermissionsPolicy.new do |p|
++    p.gyroscope :self
++  end
++
++  class PolicyConfigMiddleware
++    def initialize(app)
++      @app = app
++    end
++
++    def call(env)
++      env["action_dispatch.permissions_policy"] = POLICY
++      env["action_dispatch.show_exceptions"] = :none
++
++      @app.call(env)
++    end
++  end
++
++  test "html requests will set a policy" do
++    @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] })
++    # Dummy CONTENT_TYPE to avoid including backport of the following commit in
++    # a security-related patch:
++    # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625
++    get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
++
++    assert_equal "text/html", response.headers['Content-Type']
++    assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
++  end
++
++  test "non-html requests will set a policy" do
++    @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
++    get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
++
++    assert_equal "application/json", response.headers['Content-Type']
++    assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
++  end
++
++  private
++    def build_app(app)
++      PolicyConfigMiddleware.new(
++        Rack::Lint.new(
++          ActionDispatch::PermissionsPolicy::Middleware.new(
++            Rack::Lint.new(app),
++          ),
++        ),
++      )
++    end
++end
++
+ class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest
+   class PolicyController < ActionController::Base
+     permissions_policy only: :index do |f|

CVE-2024-28103.patch

@@ -0,0 +1,43 @@
+From b84cbecacd114102e1884a6169388d7cb7ea325d Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Wed, 28 Feb 2024 16:49:11 -0500
+Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types
+
+[CVE-2024-28103]
+The application configurable Permissions-Policy is only
+served on responses with an HTML related Content-Type.
+
+This change allows all Content-Types to serve the
+configured Permissions-Policy as there are many non-HTML
+Content-Types that would benefit from this header.
+(examples include image/svg+xml and application/xml)
+---
+ .../http/permissions_policy.rb                |  7 ---
+ .../test/dispatch/permissions_policy_test.rb  | 51 +++++++++++++++++++
+ 2 files changed, 51 insertions(+), 7 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb
+index 5666ad0acb006..6ec9087e37bd9 100644
+--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb
++++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb
+@@ -37,7 +37,6 @@ def call(env)
+         request = ActionDispatch::Request.new(env)
+         _, headers, _ = response = @app.call(env)
+ 
+-        return response unless html_response?(headers)
+         return response if policy_present?(headers)
+ 
+         if policy = request.permissions_policy
+@@ -52,12 +51,6 @@ def call(env)
+       end
+ 
+       private
+-        def html_response?(headers)
+-          if content_type = headers[CONTENT_TYPE]
+-            /html/.match?(content_type)
+-          end
+-        end
+-
+         def policy_present?(headers)
+           headers[POLICY]
+         end

backport-CVE-2024-41128.patch

@@ -0,0 +1,38 @@
+From b1241f468d1b32235f438c2e2203386e6efd3891 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:41:33 -0700
+Subject: [PATCH] Avoid backtracking in filtered_query_string
+
+Thanks scyoon for the patch
+
+CVE-2024-41128
+---
+ .../lib/action_dispatch/http/filter_parameters.rb   | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb
+index d053fc0b9f781..0e2e771da104d 100644
+--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb
++++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb
+@@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc:
+         ActiveSupport::ParameterFilter.new(filters)
+       end
+ 
+-      KV_RE   = "[^&;=]+"
+-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
+       def filtered_query_string # :doc:
+-        query_string.gsub(PAIR_RE) do |_|
+-          parameter_filter.filter($1 => $2).first.join("=")
++        parts = query_string.split(/([&;])/)
++        filtered_parts = parts.map do |part|
++          if part.include?("=")
++            key, value = part.split("=", 2)
++            parameter_filter.filter(key => value).first.join("=")
++          else
++            part
++          end
+         end
++        filtered_parts.join("")
+       end
+     end
+   end

backport-CVE-2024-47887.patch

@@ -0,0 +1,26 @@
+From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:32:00 -0700
+Subject: [PATCH] Avoid backtracking in Token#raw_params
+
+Thanks to scyoon for the patch
+
+[CVE-2024-47887]
+---
+ actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
+index 439ffd5c99490..e42791bbc23d8 100644
+--- a/actionpack/lib/action_controller/metal/http_authentication.rb
++++ b/actionpack/lib/action_controller/metal/http_authentication.rb
+@@ -506,7 +506,8 @@ def rewrite_param_values(array_params)
+       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
+       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
+       def raw_params(auth)
+-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
++        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
++        _raw_params.reject!(&:empty?)
+ 
+         if !_raw_params.first&.start_with?(TOKEN_KEY)
+           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

rubygem-actionpack.spec

@@ -3,8 +3,8 @@
 
 Name:		rubygem-%{gem_name}
 Epoch:		1
-Version:	7.0.4
+Version:	7.0.7
-Release: 	3
+Release: 	5
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@@ -12,19 +12,25 @@ Source0: 	https://rubygems.org/gems/%{gem_name}-%{version}.gem
 # ActionPack gem doesn't ship with the test suite.
 # You may check it out like so
 # git clone http://github.com/rails/rails.git
-# cd rails/actionpack && git archive -v -o actionpack-7.0.4-tests.txz v7.0.4 test/
+# cd rails/actionpack && git archive -v -o actionpack-7.0.7-tests.txz v7.0.7 test/
 Source1: 	%{gem_name}-%{version}-tests.txz
 # The tools are needed for the test suite, are however unpackaged in gem file.
 # You may get them like so
 # git clone http://github.com/rails/rails.git --no-checkout
-# cd rails && git archive -v -o rails-7.0.4-tools.txz v7.0.4 tools/
+# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
 Source2: 	rails-%{version}-tools.txz
 # Fixes for Minitest 5.16+
 # https://github.com/rails/rails/pull/45370
 Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
-Patch1: CVE-2023-22797.patch
+# https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
-Patch2: CVE-2023-28362.patch
+Patch1: CVE-2024-26143.patch
-Patch3: CVE-2023-28362-test.patch
+Patch2: CVE-2024-26143-test.patch
+# https://github.com/rails/rails/commit/b84cbecacd114102e1884a6169388d7cb7ea325d
+Patch3: CVE-2024-28103.patch
+Patch4: CVE-2024-28103-test.patch
+
+Patch3000:	backport-CVE-2024-41128.patch
+Patch3001:	backport-CVE-2024-47887.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@@ -62,12 +68,16 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
-%patch1 -p2
+%patch 1 -p2
-%patch2 -p2
+%patch 3 -p2
+
+%patch 3000 -p2
+%patch 3001 -p2
 
 pushd %{_builddir}
-%patch0 -p2
+%patch 0 -p2
-%patch3 -p2
+%patch 2 -p2
+%patch 4 -p2
 popd
 
 %build
@@ -110,6 +120,21 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Nov 04 2024 xuguangmin <xuguangmin@kylinos.cn> - 1:7.0.7-5
+- fix: %patchN is deprecated (2 usages found), use %patch N (or %patch -P N) 
+
+* Fri Oct 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-4
+- Fix CVE-2024-41128 and CVE-2024-47887
+
+* Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-3
+- Fix CVE-2024-28103
+
+* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2
+- Fix CVE-2024-26143 and remove unused file
+
+* Fri Aug 18 2023 chenchen <chen_aka_jan@163.com> - 1:7.0.7-1
+- Upgrade to version 7.0.7
+
 * Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:7.0.4-3
 - Fix CVE-2023-28362