packages/rubygem-activestorage
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rubygem-activestorage/CVE-2024-26144.patch
starlet-dx f8830d592d Fix CVE-2024-26144
2024-02-28 11:31:51 +08:00

61 lines
2.7 KiB
Diff
Raw Blame History

From 723f54566023e91060a67b03353e7c03e7436433 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
<rafael@rubyonrails.org>
Date: Thu, 3 Aug 2023 16:00:34 -0400
Subject: [PATCH] Merge pull request #48869 from
brunoprietog/disable-session-active-storage-proxy-controllers
Disable session in ActiveStorage blobs and representations proxy controllers
[CVE-2024-26144]
---
activestorage/CHANGELOG.md | 8 ++++++++
.../active_storage/blobs/proxy_controller.rb | 1 +
.../representations/proxy_controller.rb | 1 +
.../concerns/active_storage/disable_session.rb | 12 ++++++++++++
4 files changed, 22 insertions(+)
create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb
diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
index 6ec2772717c70..438623858474e 100644
--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
@@ -9,6 +9,7 @@
class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
include ActiveStorage::Streaming
+ include ActiveStorage::DisableSession
def show
if request.headers["Range"].present?
diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
index 0f6c0f79978ab..7024f6534a501 100644
--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
@@ -8,6 +8,7 @@
# {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
include ActiveStorage::Streaming
+ include ActiveStorage::DisableSession
def show
http_cache_forever public: true do
diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
new file mode 100644
index 0000000000000..200ad7c9d23ac
--- /dev/null
+++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
+module ActiveStorage::DisableSession
+ extend ActiveSupport::Concern
+
+ included do
+ before_action do
+ request.session_options[:skip] = true
+ end
+ end
+end
Reference in New Issue View Git Blame Copy Permalink