packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!73 [sync] PR-68: fix CVE-2025-27610

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2025-03-13 02:14:07 +00:00 committed by Gitee
commit f70e1efe91
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Fix-CVE-2025-27610.patch Normal file
View File

@ -0,0 +1,28 @@
From 50caab74fa01ee8f5dbdee7bb2782126d20c6583 Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Sat, 8 Mar 2025 11:13:39 +1300
Subject: [PATCH] Use a fully resolved file path when confirming if a file can
be served by `Rack::Static`.
---
lib/rack/static.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/rack/static.rb b/lib/rack/static.rb
index 8cb58b2..0ea78a1 100644
--- a/lib/rack/static.rb
+++ b/lib/rack/static.rb
@@ -122,8 +122,9 @@ module Rack
def call(env)
path = env[PATH_INFO]
+ actual_path = Utils.clean_path_info(Utils.unescape_path(path))
- if can_serve(path)
+ if can_serve(actual_path)
if overwrite_file_path(path)
env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
--
2.46.0

9
rubygem-rack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name}
Version: 2.2.4
Epoch: 1
Release: 8
Release: 9
Summary: A modular Ruby webserver interface
License: MIT and BSD
URL: https://rack.github.io/
@ -17,6 +17,7 @@ Patch4: Fix-CVE-2024-25126.patch
Patch5: Fix-CVE-2022-44570.patch
Patch6: Fix-CVE-2022-44571.patch
Patch7: Fix-CVE-2022-44572.patch
Patch8: Fix-CVE-2025-27610.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 git
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client)
@ -105,6 +106,12 @@ popd
%doc %{gem_instdir}/contrib
%changelog
* Wed Mar 12 2025 changtao <changtao@kylinos.cn> - 1:2.2.4-9
- Type:CVE
- CVE:CVE-2025-27610
- SUG:NA
- DESC:fix CVE-2025-27610
* Thu Apr 11 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:2.2.4-8
- Type:CVES
- ID:CVE-2022-44572