packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!48 [sync] PR-47: Fix CVE-2021-41819

Browse Source 
Merge pull request !48 from openeuler-sync-bot/sync-pr47-openEuler-20.03-LTS-SP1-to-openEuler-20.03-LTS-SP3
This commit is contained in:
openeuler-ci-bot 2022-01-15 11:10:20 +00:00 committed by Gitee
commit cdaed5406f
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
CVE-2021-41819.patch Normal file
View File

@ -0,0 +1,38 @@
From 052eb3a828b0f99bca39cfd800f6c2b91307dbd5 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Mon, 29 Jun 2020 10:29:25 +0900
Subject: [PATCH] When parsing cookies, only decode the values
---
lib/cgi/cookie.rb | 1 -
test/cgi/test_cgi_cookie.rb | 5 +++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
index ae9ab58..6b0d89c 100644
--- a/lib/cgi/cookie.rb
+++ b/lib/cgi/cookie.rb
@@ -165,7 +165,6 @@ def self.parse(raw_cookie)
raw_cookie.split(/;\s?/).each do |pairs|
name, values = pairs.split('=',2)
next unless name and values
- name = CGI.unescape(name)
values ||= ""
values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
if cookies.has_key?(name)
diff --git a/test/cgi/test_cgi_cookie.rb b/test/cgi/test_cgi_cookie.rb
index 115a57e..985cc0d 100644
--- a/test/cgi/test_cgi_cookie.rb
+++ b/test/cgi/test_cgi_cookie.rb
@@ -101,6 +101,11 @@ def test_cgi_cookie_parse
end
end
+ def test_cgi_cookie_parse_not_decode_name
+ cookie_str = "%66oo=baz;foo=bar"
+ cookies = CGI::Cookie.parse(cookie_str)
+ assert_equal({"%66oo" => ["baz"], "foo" => ["bar"]}, cookies)
+ end
def test_cgi_cookie_arrayinterface
cookie = CGI::Cookie.new('name1', 'a', 'b', 'c')

6
ruby.spec
View File

@ -1,6 +1,6 @@
Name: ruby Name: ruby
Version: 2.5.8 Version: 2.5.8
Release: 114 Release: 115
Summary: Object-oriented scripting language interpreter Summary: Object-oriented scripting language interpreter
License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
URL: https://www.ruby-lang.org/ URL: https://www.ruby-lang.org/
@ -39,6 +39,7 @@ Patch0013: CVE-2019-19204.patch
Patch0014: CVE-2019-19246.patch Patch0014: CVE-2019-19246.patch
Patch0015: CVE-2019-16163.patch Patch0015: CVE-2019-16163.patch
Patch0016: CVE-2020-25613.patch Patch0016: CVE-2020-25613.patch
Patch0017: CVE-2021-41819.patch
Patch6000: backport-0001-CVE-2021-28965.patch Patch6000: backport-0001-CVE-2021-28965.patch
Patch6001: backport-0002-CVE-2021-28965.patch Patch6001: backport-0002-CVE-2021-28965.patch
Patch6002: backport-CVE-2021-31799.patch Patch6002: backport-CVE-2021-31799.patch
@ -581,6 +582,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
%exclude %{gem_dir}/gems/xmlrpc-0.3.0/.* %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*
%changelog %changelog
* Fri Jan 14 2022 yaoxin <yaoxin30@huawei.com> - 2.5.8-115
- Fix CVE-2021-41819
* Sat Jul 31 2021 shixuantong <shixuantong@huawei.com> - 2.5.8-114 * Sat Jul 31 2021 shixuantong <shixuantong@huawei.com> - 2.5.8-114
- Type:cves - Type:cves
- ID:CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 - ID:CVE-2021-31799 CVE-2021-31810 CVE-2021-32066