packages/rubygem-activeresource
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!2 fix CVE-2020-8151

Browse Source 
From: @programmer12
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-10-08 07:26:02 +00:00 committed by Gitee
commit c9067b8c58
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2020-8151.patch Normal file
View File

@ -0,0 +1,28 @@
From 83740a86bff7f0fa7d0caba5406ee125736cd133 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Fri, 8 Oct 2021 14:33:44 +0800
Subject: [PATCH] Properly encode ID parameters to avoid prossible
information
[CVE-2020-8151]
---
lib/active_resource/base.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/active_resource/base.rb b/lib/active_resource/base.rb
index 3576d0c..913ba45 100644
--- a/lib/active_resource/base.rb
+++ b/lib/active_resource/base.rb
@@ -763,7 +763,7 @@ module ActiveResource
check_prefix_options(prefix_options)
prefix_options, query_options = split_options(prefix_options) if query_options.nil?
- "#{prefix(prefix_options)}#{collection_name}/#{URI.parser.escape id.to_s}#{format_extension}#{query_string(query_options)}"
+ "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}"
end
# Gets the new element path for REST resources.
--
2.27.0

8
rubygem-activeresource.spec
View File

@ -2,13 +2,14 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 5.0.0 Version: 5.0.0
Release: 1 Release: 2
Summary: REST modeling framework (part of Rails) Summary: REST modeling framework (part of Rails)
License: MIT License: MIT
URL: http://www.rubyonrails.org URL: http://www.rubyonrails.org
Source0: https://rubygems.org/gems/activeresource-5.0.0.gem Source0: https://rubygems.org/gems/activeresource-5.0.0.gem
Source1: https://github.com/rails/activeresource/archive/v5.0.0.tar.gz Source1: https://github.com/rails/activeresource/archive/v5.0.0.tar.gz
Patch0: rubygem-activeresource-5.0.0-Always-load-abstract_unit-on-the-top-of-test-file.patch Patch0: rubygem-activeresource-5.0.0-Always-load-abstract_unit-on-the-top-of-test-file.patch
Patch1: CVE-2020-8151.patch
BuildRequires: ruby(release) rubygems-devel ruby rubygem(activemodel) >= 5.0 BuildRequires: ruby(release) rubygems-devel ruby rubygem(activemodel) >= 5.0
BuildRequires: rubygem(activesupport) >= 5.0 rubygem(activemodel-serializers-xml) BuildRequires: rubygem(activesupport) >= 5.0 rubygem(activemodel-serializers-xml)
BuildRequires: rubygem(bundler) rubygem(mocha) BuildRequires: rubygem(bundler) rubygem(mocha)
@ -17,6 +18,7 @@ BuildArch: noarch
REST on Rails. Wrap your RESTful web app with Ruby classes and work with them REST on Rails. Wrap your RESTful web app with Ruby classes and work with them
like Active Record models. like Active Record models.
%package doc %package doc
Summary: Documentation for %{name} Summary: Documentation for %{name}
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
@ -28,6 +30,7 @@ Documentation for %{name}.
gem unpack %{SOURCE0} gem unpack %{SOURCE0}
%setup -q -D -T -n %{gem_name}-%{version} %setup -q -D -T -n %{gem_name}-%{version}
gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
%patch1 -p1
%build %build
gem build %{gem_name}.gemspec gem build %{gem_name}.gemspec
@ -60,5 +63,8 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Fri Oct 8 2021 liwu <liwu13@huawei.com> - 5.0.0-2
- Fix CVE-2020-8151
* Wed Aug 12 2020 chengzihan <chengzihan2@huawei.com> - 5.0.0-1 * Wed Aug 12 2020 chengzihan <chengzihan2@huawei.com> - 5.0.0-1
- Package init - Package init