packages/rubygem-webrick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-47220

Browse Source 
(cherry picked from commit f3af4d9caf00d2e918aea13e9dc0bdeae17b02a4)
This commit is contained in:
starlet-dx 2024-09-29 15:40:56 +08:00 committed by openeuler-sync-bot
parent e35868243f
commit 3ceec3c878
2 changed files with 40 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
backport-fix-CVE-2024-47220.patch Normal file
View File

@ -0,0 +1,32 @@
From f5faca9222541591e1a7c3c97552ebb0c92733c7 Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Wed, 18 Sep 2024 14:11:49 -0700
Subject: [PATCH] Prevent request smuggling
If a request has both a content-length and transfer-encoding
headers, return a 400 response. This is allowed by RFC 7230
section 3.3.3.3.
Fixes #145
---
lib/webrick/httprequest.rb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
index d34eac7..15f95a0 100644
--- a/lib/webrick/httprequest.rb
+++ b/lib/webrick/httprequest.rb
@@ -507,6 +507,10 @@ module WEBrick
def read_body(socket, block)
return unless socket
if tc = self['transfer-encoding']
+ if self['content-length']
+ raise HTTPStatus::BadRequest, "request with both transfer-encoding and content-length, possible request smuggling"
+ end
+
case tc
when /\Achunked\z/io then read_chunked(socket, block)
else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
--
2.46.0

11
rubygem-webrick.spec
View File

@ -2,11 +2,13 @@
%global gem_name webrick %global gem_name webrick
Name: rubygem-webrick Name: rubygem-webrick
Version: 1.7.0 Version: 1.7.0
Release: 1 Release: 2
Summary: HTTP server toolkit Summary: HTTP server toolkit
License: Ruby and BSD-2-Clause License: Ruby and BSD-2-Clause
URL: https://github.com/ruby/webrick URL: https://github.com/ruby/webrick
Source0: https://rubygems.org/gems/webrick-1.7.0.gem Source0: https://rubygems.org/gems/webrick-1.7.0.gem
# https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7
Patch3000: backport-fix-CVE-2024-47220.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: ruby rsync BuildRequires: ruby rsync
@ -25,7 +27,7 @@ BuildArch: noarch
WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server. WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.
%prep %prep
%autosetup -n webrick-1.7.0 %autosetup -n webrick-%{version} -p1
gem spec %{SOURCE0} -l --ruby > webrick.gemspec gem spec %{SOURCE0} -l --ruby > webrick.gemspec
%build %build
@ -68,5 +70,8 @@ mv %{buildroot}/filelist.lst .
%{gem_docdir}/* %{gem_docdir}/*
%changelog %changelog
* Mon Aug 02 2021 Ruby_Bot <Ruby_Bot@openeuler.org> * Sun Sep 29 2024 yaoxin <yao_xin001@hoperun.com> - 1.7.0-2
- Fix CVE-2024-47220
* Mon Aug 02 2021 Ruby_Bot <Ruby_Bot@openeuler.org> - 1.7.0-1
- Package Spec generated - Package Spec generated