!21 [sync] PR-19: Fix CVE-2022-45442

From: @openeuler-sync-bot Reviewed-by: @jxy_git Signed-off-by: @jxy_git
2024-11-18 06:34:51 +00:00 · 2024-11-18 06:34:51 +00:00 · 354e9a23e6
commit 354e9a23e6
parent ffa8568ccf 8070424a1c
3 changed files with 102 additions and 1 deletions
--- a/backport-CVE-2022-45442-test.patch
+++ b/backport-CVE-2022-45442-test.patch
@ -0,0 +1,40 @@
+From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
+From: namusyaka <namusyaka@gmail.com>
+Date: Wed, 23 Nov 2022 22:24:02 +0900
+Subject: [PATCH] escape filename in the Content-Disposition header
+
+According the multipart form data spec in WHATWG living standard.
+Ref: https://html.spec.whatwg.org/#multipart-form-data
+
+Origin:
+https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
+---
+ test/helpers_test.rb | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/test/helpers_test.rb b/test/helpers_test.rb
+index 463a21d..7201aab 100644
+--- a/test/helpers_test.rb
+++ b/test/helpers_test.rb
+@@ -781,6 +781,18 @@ class HelpersTest < Minitest::Test
+       assert_equal '<sinatra></sinatra>', body
+     end
+ 
+    it 'escapes filename in the Content-Disposition header according to the multipart form data spec in WHATWG living standard' do
+      mock_app do
+        get('/attachment') do
+          attachment "test.xml\";\r\next=.txt"
+          response.write("<sinatra></sinatra>")
+        end
+      end
+
+      get '/attachment'
+      assert_equal 'attachment; filename="test.xml%22;%0D%0Aext=.txt"', response['Content-Disposition']
+      assert_equal '<sinatra></sinatra>', body
+    end
+   end
+ 
+   describe 'send_file' do
+-- 
+2.47.0
+
--- a/backport-CVE-2022-45442.patch
+++ b/backport-CVE-2022-45442.patch
@ -0,0 +1,51 @@
+From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
+From: namusyaka <namusyaka@gmail.com>
+Date: Wed, 23 Nov 2022 22:24:02 +0900
+Subject: [PATCH] escape filename in the Content-Disposition header
+
+According the multipart form data spec in WHATWG living standard.
+Ref: https://html.spec.whatwg.org/#multipart-form-data
+
+Origin:
+https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
+---
+ lib/sinatra/base.rb | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index f5d7729..b20a1f7 100644
+--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
+@@ -357,16 +357,23 @@ module Sinatra
+       response['Content-Type'] = mime_type
+     end
+ 
+    # https://html.spec.whatwg.org/#multipart-form-data
+    MULTIPART_FORM_DATA_REPLACEMENT_TABLE = {
+      '"'  => '%22',
+      "\r" => '%0D',
+      "\n" => '%0A'
+    }.freeze
+
+     # Set the Content-Disposition to "attachment" with the specified filename,
+     # instructing the user agents to prompt to save.
+     def attachment(filename = nil, disposition = :attachment)
+       response['Content-Disposition'] = disposition.to_s.dup
+-      if filename
+-        params = '; filename="%s"' % File.basename(filename)
+-        response['Content-Disposition'] << params
+-        ext = File.extname(filename)
+-        content_type(ext) unless response['Content-Type'] or ext.empty?
+-      end
+      return unless filename
+
+      params = format('; filename="%s"', File.basename(filename).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE))
+      response['Content-Disposition'] << params
+      ext = File.extname(filename)
+      content_type(ext) unless response['Content-Type'] || ext.empty?
+     end
+ 
+     # Use the contents of the file at +path+ as the response body.
+-- 
+2.47.0
+
--- a/rubygem-sinatra.spec
+++ b/rubygem-sinatra.spec
@ -3,7 +3,7 @@
 Summary:             Ruby-based web application framework
 Name:                rubygem-%{gem_name}
 Version:             2.0.8.1
-Release:             3
+Release:             4
 License:             MIT
 URL:                 http://www.sinatrarb.com/
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
@ -16,6 +16,11 @@ Patch0:              rubygem-sinatra-2.0.8.1-Fix-failing-tests.patch
 Patch1:              Internal-Sinatra-errors-now-extend-Sinatra-Error-test.patch
 Patch2:              Internal-Sinatra-errors-now-extend-Sinatra-Error.patch
 Patch3:              Fix-broken-spec.patch
+
+# Security fix
+Patch3000:           backport-CVE-2022-45442.patch
+Patch3001:           backport-CVE-2022-45442-test.patch
+
 BuildRequires:       rubygems-devel ruby(release) ruby >= 2.2.0
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(rack) >= 2.0 rubygem(rack-protection) = %{version} rubygem(tilt)
@ -42,9 +47,11 @@ pushd %{_builddir}
 %patch0 -p1
 %patch1 -p1
 %patch3 -p1
+%patch3001 -p1
 popd

 %patch2 -p1
+%patch3000 -p1

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -89,6 +96,9 @@ popd
 %{gem_instdir}/examples

 %changelog
+* Mon Nov 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.0.8.1-4
+- Fix CVE-2022-45442
+
 * Sat May 11 2024 Zhengxin Guo <guozhengxin@kylinos.cn> - 1:2.0.8.1-3
 - fix the correctly ignores syntactically invalid range requests test