!12 Fix CVE-2024-26144

From: @starlet-dx 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2024-26144.patch

@@ -0,0 +1,60 @@
+From 723f54566023e91060a67b03353e7c03e7436433 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafael@rubyonrails.org>
+Date: Thu, 3 Aug 2023 16:00:34 -0400
+Subject: [PATCH] Merge pull request #48869 from
+ brunoprietog/disable-session-active-storage-proxy-controllers
+
+Disable session in ActiveStorage blobs and representations proxy controllers
+
+[CVE-2024-26144]
+---
+ activestorage/CHANGELOG.md                           |  8 ++++++++
+ .../active_storage/blobs/proxy_controller.rb         |  1 +
+ .../representations/proxy_controller.rb              |  1 +
+ .../concerns/active_storage/disable_session.rb       | 12 ++++++++++++
+ 4 files changed, 22 insertions(+)
+ create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb
+
+diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+index 6ec2772717c70..438623858474e 100644
+--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
++++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+@@ -9,6 +9,7 @@
+ class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
+   include ActiveStorage::SetBlob
+   include ActiveStorage::Streaming
++  include ActiveStorage::DisableSession
+ 
+   def show
+     if request.headers["Range"].present?
+diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+index 0f6c0f79978ab..7024f6534a501 100644
+--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
++++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+@@ -8,6 +8,7 @@
+ # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
+ class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
+   include ActiveStorage::Streaming
++  include ActiveStorage::DisableSession
+ 
+   def show
+     http_cache_forever public: true do
+diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
+new file mode 100644
+index 0000000000000..200ad7c9d23ac
+--- /dev/null
++++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
+@@ -0,0 +1,12 @@
++# frozen_string_literal: true
++
++# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
++module ActiveStorage::DisableSession
++  extend ActiveSupport::Concern
++
++  included do
++    before_action do
++      request.session_options[:skip] = true
++    end
++  end
++end

rubygem-activestorage.spec

@@ -1,21 +1,31 @@
 %global gem_name activestorage
-%{?_with_bootstrap: %global bootstrap 1}
-%global bootstrap 1
+%bcond_without bootstrap
 %bcond_with ffmpeg
 Name:                rubygem-%{gem_name}
-Version:             5.2.3
-Release:             1
+Version:             7.0.7
+Release:             2
 Summary:             Local and cloud file storage framework
 License:             MIT
 URL:                 http://rubyonrails.org
-Source0:             https://rubygems.org/gems/activestorage-5.2.3.gem
-Source1:             https://github.com/rails/rails/archive/v5.2.3.tar.gz
+Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
+# The gem doesn't ship with the test suite.
+# You may check it out like so
+# git clone https://github.com/rails/rails.git
+# cd rails/activestorage && git archive -v -o activestorage-7.0.7-tests.txz v7.0.7 test/
+Source1:             %{gem_name}-%{version}-tests.txz
+# The tools are needed for the test suite, are however unpackaged in gem file.
+# You may check it out like so
+# git clone http://github.com/rails/rails.git --no-checkout
+# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
+Source2:             rails-%{version}-tools.txz
+# https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
+Patch0:              CVE-2024-26144.patch
 BuildRequires:       ruby(release) rubygems-devel ruby
-%if ! 0%{?bootstrap}
+%if %{without bootstrap}
 BuildRequires:       rubygem(actionpack) = %{version} rubygem(activerecord) = %{version}
 BuildRequires:       rubygem(activejob) = %{version} rubygem(railties) = %{version}
 BuildRequires:       rubygem(rails) = %{version} rubygem(sprockets-rails) rubygem(connection_pool)
-BuildRequires:       rubygem(mini_magick) rubygem(sqlite3)
+BuildRequires:       rubygem(image_processing) rubygem(sqlite3)
 %{?with_ffmpeg:BuildRequires: %{_bindir}/ffmpeg}
 BuildRequires:       %{_bindir}/mutool %{_bindir}/pdftoppm
 %endif
@@ -34,7 +44,8 @@ BuildArch:           noarch
 Documentation for %{name}.
 
 %prep
-%setup -q -n %{gem_name}-%{version}
+%setup -q -n %{gem_name}-%{version} -b1 -b2
+%patch0 -p2
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -46,7 +57,7 @@ cp -a .%{gem_dir}/* \
         %{buildroot}%{gem_dir}/
 
 %check
-%if ! 0%{?bootstrap}
+%if %{without bootstrap}
 ln -s %{gem_dir}/specifications/rails-%{version}.gemspec .%{gem_dir}/gems/rails.gemspec
 ln -s %{gem_dir}/gems/railties-%{version}/ .%{gem_dir}/gems/railties
 ln -s %{gem_dir}/gems/activerecord-%{version}/ .%{gem_dir}/gems/activerecord
@@ -55,29 +66,40 @@ ln -s %{gem_dir}/gems/actionpack-%{version}/ .%{gem_dir}/gems/actionpack
 ln -s %{gem_dir}/gems/activesupport-%{version}/ .%{gem_dir}/gems/activesupport
 ln -s ${PWD}%{gem_instdir} .%{gem_dir}/gems/%{gem_name}
 pushd .%{gem_dir}/gems/%{gem_name}
-tar xzvf %{SOURCE1}
+ln -s %{_builddir}/tools ..
+cp -a %{_builddir}/test .
 touch Gemfile
 echo 'gem "actionpack"' >> ../Gemfile
 echo 'gem "activerecord"' >> ../Gemfile
 echo 'gem "activejob"' >> ../Gemfile
 echo 'gem "sprockets-rails"' >> ../Gemfile
-echo 'gem "mini_magick"' >> ../Gemfile
+echo 'gem "image_processing"' >> ../Gemfile
 echo 'gem "rails"' >> ../Gemfile
 echo 'gem "sqlite3"' >> ../Gemfile
-cd rails-%{version}/%{gem_name}
-%if ! 0%{?with_ffmpeg}
+%if %{without ffmpeg}
 mv test/analyzer/video_analyzer_test.rb{,.disable}
+mv test/analyzer/audio_analyzer_test.rb{,.disable}
+mv test/previewer/video_previewer_test.rb{,.disable}
 for f in \
   models/preview \
   models/representation \
-  previewer/video_previewer
+  %{nil}
 do
-sed -i '/^  test ".* an MP4 video" do$/,/^  end$/ s/^/#/g' \
+sed -i '/^  test ".* MP4 video.*" do$/,/^  end$/ s/^/#/g' \
   test/${f}_test.rb
 done
-sed -i '/^  test "analyze newly-attached blobs" do$/,/^  end$/ s/^/#/g' \
-  test/models/attachments_test.rb
 %endif
+# Blobs seem to be broken
+# https://github.com/rails/rails/pull/40226
+# https://github.com/rails/rails/issues/44395
+sed -i -e '/test "optimized variation of GIF"/ a skip' \
+    -e '/thumbnail variation of extensionless GIF/ a skip' \
+    -e '/test "resized variation of PSD blob" do/ a skip' \
+    -e '/test "resized variation of BMP blob" do/ a skip' \
+    -e '/test "resized variation of ICO blob" do/ a skip' \
+    -e '/test "resized variation of GIF blob" do/ a skip' \
+    -e '/test "optimized variation of GIF blob" do/ a skip' \
+  test/models/variant_test.rb
 export RUBYOPT="-I${PWD}/../%{gem_name}/lib"
 export PATH="${PWD}/../%{gem_name}/exe:$PATH"
 export BUNDLE_GEMFILE=${PWD}/../Gemfile
@@ -101,5 +123,20 @@ popd
 %doc %{gem_instdir}/README.md
 
 %changelog
+* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 7.0.7-2
+- Fix CVE-2024-26144
+
+* Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1
+- Upgrade to version 7.0.7
+
+* Thu Jan 19 2023 wangkai <wangkai385@h-partners.com> - 7.0.4-1
+- Upgrade to version 7.0.4
+
+* Wed Mar 02 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 6.1.4.1-1
+- update to 6.1.4.1
+
+* Mon Feb  8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
+- Upgrade to 5.2.4.4
+
 * Wed Aug 12 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1
 - Package init