CVE-2020-8151

2021-10-08 15:11:12 +08:00 · 2021-10-08 15:11:12 +08:00 · c42fd920f2
commit c42fd920f2
parent a89cb90755
2 changed files with 35 additions and 1 deletions
--- a/CVE-2020-8151.patch
+++ b/CVE-2020-8151.patch
@ -0,0 +1,28 @@
+From 83740a86bff7f0fa7d0caba5406ee125736cd133 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderlove@ruby-lang.org>
+Date: Fri, 8 Oct 2021 14:33:44 +0800
+Subject: [PATCH] Properly encode ID parameters to avoid prossible
+information
+
+[CVE-2020-8151]
+
+---
+ lib/active_resource/base.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/active_resource/base.rb b/lib/active_resource/base.rb
+index 3576d0c..913ba45 100644
+--- a/lib/active_resource/base.rb
+++ b/lib/active_resource/base.rb
+@@ -763,7 +763,7 @@ module ActiveResource
+         check_prefix_options(prefix_options)
+ 
+         prefix_options, query_options = split_options(prefix_options) if query_options.nil?
+-        "#{prefix(prefix_options)}#{collection_name}/#{URI.parser.escape id.to_s}#{format_extension}#{query_string(query_options)}"
+        "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}"
+       end
+ 
+       # Gets the new element path for REST resources.
+-- 
+2.27.0
+
--- a/rubygem-activeresource.spec
+++ b/rubygem-activeresource.spec
@ -2,13 +2,14 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.0.0
-Release:             1
+Release:             2
 Summary:             REST modeling framework (part of Rails)
 License:             MIT
 URL:                 http://www.rubyonrails.org
 Source0:             https://rubygems.org/gems/activeresource-5.0.0.gem
 Source1:             https://github.com/rails/activeresource/archive/v5.0.0.tar.gz
 Patch0:              rubygem-activeresource-5.0.0-Always-load-abstract_unit-on-the-top-of-test-file.patch
+Patch1:              CVE-2020-8151.patch
 BuildRequires:       ruby(release) rubygems-devel ruby rubygem(activemodel) >= 5.0
 BuildRequires:       rubygem(activesupport) >= 5.0 rubygem(activemodel-serializers-xml)
 BuildRequires:       rubygem(bundler) rubygem(mocha)
@ -17,6 +18,7 @@ BuildArch:           noarch
 REST on Rails. Wrap your RESTful web app with Ruby classes and work with them
 like Active Record models.

+
 %package doc
 Summary:             Documentation for %{name}
 Requires:            %{name} = %{epoch}:%{version}-%{release}
@ -28,6 +30,7 @@ Documentation for %{name}.
 gem unpack %{SOURCE0}
 %setup -q -D -T -n  %{gem_name}-%{version}
 gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
+%patch1 -p1

 %build
 gem build %{gem_name}.gemspec
@ -60,5 +63,8 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Fri Oct 8 2021 liwu <liwu13@huawei.com> - 5.0.0-2
+- Fix CVE-2020-8151
+
 * Wed Aug 12 2020 chengzihan <chengzihan2@huawei.com> - 5.0.0-1
 - Package init