Fix CVE-2024-47220
(cherry picked from commit f3af4d9caf00d2e918aea13e9dc0bdeae17b02a4)
This commit is contained in:
starlet-dx
openeuler-sync-bot
parent
e35868243f
commit
3ceec3c878
32
backport-fix-CVE-2024-47220.patch
Normal file
32
backport-fix-CVE-2024-47220.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From f5faca9222541591e1a7c3c97552ebb0c92733c7 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Evans <code@jeremyevans.net>
|
||||
Date: Wed, 18 Sep 2024 14:11:49 -0700
|
||||
Subject: [PATCH] Prevent request smuggling
|
||||
|
||||
If a request has both a content-length and transfer-encoding
|
||||
headers, return a 400 response. This is allowed by RFC 7230
|
||||
section 3.3.3.3.
|
||||
|
||||
Fixes #145
|
||||
---
|
||||
lib/webrick/httprequest.rb | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
|
||||
index d34eac7..15f95a0 100644
|
||||
--- a/lib/webrick/httprequest.rb
|
||||
+++ b/lib/webrick/httprequest.rb
|
||||
@@ -507,6 +507,10 @@ module WEBrick
|
||||
def read_body(socket, block)
|
||||
return unless socket
|
||||
if tc = self['transfer-encoding']
|
||||
+ if self['content-length']
|
||||
+ raise HTTPStatus::BadRequest, "request with both transfer-encoding and content-length, possible request smuggling"
|
||||
+ end
|
||||
+
|
||||
case tc
|
||||
when /\Achunked\z/io then read_chunked(socket, block)
|
||||
else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
|
||||
--
|
||||
2.46.0
|
||||
|
||||
@ -2,11 +2,13 @@
|
||||
%global gem_name webrick
|
||||
Name: rubygem-webrick
|
||||
Version: 1.7.0
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: HTTP server toolkit
|
||||
License: Ruby and BSD-2-Clause
|
||||
URL: https://github.com/ruby/webrick
|
||||
Source0: https://rubygems.org/gems/webrick-1.7.0.gem
|
||||
# https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7
|
||||
Patch3000: backport-fix-CVE-2024-47220.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: ruby rsync
|
||||
@ -25,7 +27,7 @@ BuildArch: noarch
|
||||
WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.
|
||||
|
||||
%prep
|
||||
%autosetup -n webrick-1.7.0
|
||||
%autosetup -n webrick-%{version} -p1
|
||||
gem spec %{SOURCE0} -l --ruby > webrick.gemspec
|
||||
|
||||
%build
|
||||
@ -68,5 +70,8 @@ mv %{buildroot}/filelist.lst .
|
||||
%{gem_docdir}/*
|
||||
|
||||
%changelog
|
||||
* Mon Aug 02 2021 Ruby_Bot <Ruby_Bot@openeuler.org>
|
||||
* Sun Sep 29 2024 yaoxin <yao_xin001@hoperun.com> - 1.7.0-2
|
||||
- Fix CVE-2024-47220
|
||||
|
||||
* Mon Aug 02 2021 Ruby_Bot <Ruby_Bot@openeuler.org> - 1.7.0-1
|
||||
- Package Spec generated
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user