From a58e7247e596538ec31c22686ddfc56bdc8d5600 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Mon, 11 Sep 2023 11:35:28 +0800
Subject: [PATCH] Fix CVE-2023-38037

---
 CVE-2023-38037.patch  | 59 +++++++++++++++++++++++++++++++++++++++++++
 rubygem-railties.spec |  7 ++++-
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-38037.patch

diff --git a/CVE-2023-38037.patch b/CVE-2023-38037.patch
new file mode 100644
index 0000000..309546c
--- /dev/null
+++ b/CVE-2023-38037.patch
@@ -0,0 +1,59 @@
+From a21d6edf35a60383dfa6c4da49e4b1aef5f00731 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 22 Aug 2023 09:58:43 -0700
+Subject: [PATCH] Use a temporary file for storing unencrypted files while
+ editing
+
+Origin: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
+
+When we're editing the contents of encrypted files, we should use the
+`Tempfile` class because it creates temporary files with restrictive
+permissions.  This prevents other users on the same system from reading
+the contents of those files while the user is editing them.
+
+[CVE-2023-38037]
+---
+ .../lib/active_support/encrypted_file.rb       | 17 ++++++++---------
+ activesupport/test/encrypted_file_test.rb      |  8 ++++++++
+ railties/lib/rails/secrets.rb                  | 18 ++++++++++--------
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/railties/lib/rails/secrets.rb b/railties/lib/rails/secrets.rb
+index 54ba53c03b981..913d5e57c1bfb 100644
+--- a/railties/lib/rails/secrets.rb
++++ b/railties/lib/rails/secrets.rb
+@@ -1,6 +1,7 @@
+ # frozen_string_literal: true
+ 
+ require "yaml"
++require "tempfile"
+ require "active_support/message_encryptor"
+ 
+ module Rails
+@@ -87,17 +88,18 @@ def preprocess(path)
+         end
+ 
+         def writing(contents)
+-          tmp_file = "#{File.basename(path)}.#{Process.pid}"
+-          tmp_path = File.join(Dir.tmpdir, tmp_file)
+-          IO.binwrite(tmp_path, contents)
++          file_name = "#{File.basename(path)}.#{Process.pid}"
+ 
+-          yield tmp_path
++          Tempfile.create(["", "-" + file_name]) do |tmp_file|
++            tmp_path = Pathname.new(tmp_file)
++            tmp_path.binwrite contents
+ 
+-          updated_contents = IO.binread(tmp_path)
++            yield tmp_path
+ 
+-          write(updated_contents) if updated_contents != contents
+-        ensure
+-          FileUtils.rm(tmp_path) if File.exist?(tmp_path)
++            updated_contents = tmp_path.binread
++
++            write(updated_contents) if updated_contents != contents
++          end
+         end
+ 
+         def encryptor
diff --git a/rubygem-railties.spec b/rubygem-railties.spec
index 4856b79..353d33a 100644
--- a/rubygem-railties.spec
+++ b/rubygem-railties.spec
@@ -4,7 +4,7 @@
 
 Name:                rubygem-%{gem_name}
 Version:             7.0.7
-Release:             1
+Release:             2
 Summary:             Tools for creating, working with, and running Rails applications
 License:             MIT
 URL:                 http://rubyonrails.org
@@ -21,6 +21,7 @@ Source2:             rails-%{version}-tools.txz
 # Fixes for Minitest 5.16+
 # https://github.com/rails/rails/pull/45380
 Patch1:              rubygem-railties-7.0.2.3-Remove-the-multi-call-form-of-assert_called_with.patch
+Patch2:              CVE-2023-38037.patch
 
 Recommends: ruby(irb)
 Suggests:            %{_bindir}/sqlite3
@@ -55,6 +56,7 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version} -b1 -b2
+%patch2 -p2
 
 pushd %{_builddir}
 %patch1 -p2
@@ -208,6 +210,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Sep 11 2023 wangkai <13474090681@163.com> - 7.0.7-2
+- Fix CVE-2023-38037
+
 * Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1
 - Upgrade to version 7.0.7