packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!39 [sync] PR-38: Fix CVE-2024-25126

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-04-02 06:09:19 +00:00 committed by Gitee
commit 89a016480a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
Fix-CVE-2024-25126.patch Normal file
View File

@ -0,0 +1,51 @@
From d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Wed, 6 Dec 2023 18:32:19 +0100
Subject: [PATCH] Avoid 2nd degree polynomial regexp in MediaType
---
lib/rack/media_type.rb | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb
index 41937c99..7fc1e39d 100644
--- a/lib/rack/media_type.rb
+++ b/lib/rack/media_type.rb
@@ -4,7 +4,7 @@ module Rack
# Rack::MediaType parse media type and parameters out of content_type string
class MediaType
- SPLIT_PATTERN = %r{\s*[;,]\s*}
+ SPLIT_PATTERN = /[;,]/
class << self
# The media type (type/subtype) portion of the CONTENT_TYPE header
@@ -15,7 +15,11 @@ module Rack
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
def type(content_type)
return nil unless content_type
- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase!
+ if type = content_type.split(SPLIT_PATTERN, 2).first
+ type.rstrip!
+ type.downcase!
+ type
+ end
end
# The media type parameters provided in CONTENT_TYPE as a Hash, or
@@ -27,9 +31,10 @@ module Rack
return {} if content_type.nil?
content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh|
+ s.strip!
k, v = s.split('=', 2)
-
- hsh[k.tap(&:downcase!)] = strip_doublequotes(v)
+ k.downcase!
+ hsh[k] = strip_doublequotes(v)
end
end
--
2.25.1

9
rubygem-rack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 2.2.4 Version: 2.2.4
Epoch: 1 Epoch: 1
Release: 3 Release: 4
Summary: A modular Ruby webserver interface Summary: A modular Ruby webserver interface
License: MIT and BSD License: MIT and BSD
URL: https://rack.github.io/ URL: https://rack.github.io/
@ -13,6 +13,7 @@ Patch0: 2-2-multipart-dos.patch
Patch1: 2-2-header-redos.patch Patch1: 2-2-header-redos.patch
Patch2: Fix-CVE-2024-26141.patch Patch2: Fix-CVE-2024-26141.patch
Patch3: Fix-CVE-2024-26146.patch Patch3: Fix-CVE-2024-26146.patch
Patch4: Fix-CVE-2024-25126.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client) BuildRequires: rubygem(memcache-client)
@ -101,6 +102,12 @@ popd
%doc %{gem_instdir}/contrib %doc %{gem_instdir}/contrib
%changelog %changelog
* Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-4
- Type:CVES
- ID:CVE-2024-25126
- SUG:NA
- DESC:CVE-2024-25126
* Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-3 * Tue Apr 02 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-3
- Type:CVES - Type:CVES
- ID:CVE-2024-26146 - ID:CVE-2024-26146