Fix CVE-2024-26144
This commit is contained in:
starlet-dx
parent
b724c61292
commit
f8830d592d
60
CVE-2024-26144.patch
Normal file
60
CVE-2024-26144.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 723f54566023e91060a67b03353e7c03e7436433 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
|
||||||
|
<rafael@rubyonrails.org>
|
||||||
|
Date: Thu, 3 Aug 2023 16:00:34 -0400
|
||||||
|
Subject: [PATCH] Merge pull request #48869 from
|
||||||
|
brunoprietog/disable-session-active-storage-proxy-controllers
|
||||||
|
|
||||||
|
Disable session in ActiveStorage blobs and representations proxy controllers
|
||||||
|
|
||||||
|
[CVE-2024-26144]
|
||||||
|
---
|
||||||
|
activestorage/CHANGELOG.md | 8 ++++++++
|
||||||
|
.../active_storage/blobs/proxy_controller.rb | 1 +
|
||||||
|
.../representations/proxy_controller.rb | 1 +
|
||||||
|
.../concerns/active_storage/disable_session.rb | 12 ++++++++++++
|
||||||
|
4 files changed, 22 insertions(+)
|
||||||
|
create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb
|
||||||
|
|
||||||
|
diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
|
||||||
|
index 6ec2772717c70..438623858474e 100644
|
||||||
|
--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
|
||||||
|
+++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
|
||||||
|
@@ -9,6 +9,7 @@
|
||||||
|
class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
|
||||||
|
include ActiveStorage::SetBlob
|
||||||
|
include ActiveStorage::Streaming
|
||||||
|
+ include ActiveStorage::DisableSession
|
||||||
|
|
||||||
|
def show
|
||||||
|
if request.headers["Range"].present?
|
||||||
|
diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
|
||||||
|
index 0f6c0f79978ab..7024f6534a501 100644
|
||||||
|
--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
|
||||||
|
+++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
|
||||||
|
@@ -8,6 +8,7 @@
|
||||||
|
# {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
|
||||||
|
class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
|
||||||
|
include ActiveStorage::Streaming
|
||||||
|
+ include ActiveStorage::DisableSession
|
||||||
|
|
||||||
|
def show
|
||||||
|
http_cache_forever public: true do
|
||||||
|
diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..200ad7c9d23ac
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+# frozen_string_literal: true
|
||||||
|
+
|
||||||
|
+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
|
||||||
|
+module ActiveStorage::DisableSession
|
||||||
|
+ extend ActiveSupport::Concern
|
||||||
|
+
|
||||||
|
+ included do
|
||||||
|
+ before_action do
|
||||||
|
+ request.session_options[:skip] = true
|
||||||
|
+ end
|
||||||
|
+ end
|
||||||
|
+end
|
||||||
@ -3,7 +3,7 @@
|
|||||||
%bcond_with ffmpeg
|
%bcond_with ffmpeg
|
||||||
Name: rubygem-%{gem_name}
|
Name: rubygem-%{gem_name}
|
||||||
Version: 7.0.7
|
Version: 7.0.7
|
||||||
Release: 1
|
Release: 2
|
||||||
Summary: Local and cloud file storage framework
|
Summary: Local and cloud file storage framework
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://rubyonrails.org
|
URL: http://rubyonrails.org
|
||||||
@ -18,6 +18,8 @@ Source1: %{gem_name}-%{version}-tests.txz
|
|||||||
# git clone http://github.com/rails/rails.git --no-checkout
|
# git clone http://github.com/rails/rails.git --no-checkout
|
||||||
# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
|
# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
|
||||||
Source2: rails-%{version}-tools.txz
|
Source2: rails-%{version}-tools.txz
|
||||||
|
# https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
|
||||||
|
Patch0: CVE-2024-26144.patch
|
||||||
BuildRequires: ruby(release) rubygems-devel ruby
|
BuildRequires: ruby(release) rubygems-devel ruby
|
||||||
%if %{without bootstrap}
|
%if %{without bootstrap}
|
||||||
BuildRequires: rubygem(actionpack) = %{version} rubygem(activerecord) = %{version}
|
BuildRequires: rubygem(actionpack) = %{version} rubygem(activerecord) = %{version}
|
||||||
@ -43,6 +45,7 @@ Documentation for %{name}.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{gem_name}-%{version} -b1 -b2
|
%setup -q -n %{gem_name}-%{version} -b1 -b2
|
||||||
|
%patch0 -p2
|
||||||
|
|
||||||
%build
|
%build
|
||||||
gem build ../%{gem_name}-%{version}.gemspec
|
gem build ../%{gem_name}-%{version}.gemspec
|
||||||
@ -120,6 +123,9 @@ popd
|
|||||||
%doc %{gem_instdir}/README.md
|
%doc %{gem_instdir}/README.md
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 7.0.7-2
|
||||||
|
- Fix CVE-2024-26144
|
||||||
|
|
||||||
* Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1
|
* Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1
|
||||||
- Upgrade to version 7.0.7
|
- Upgrade to version 7.0.7
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user