Fix CVE-2022-22577

2024-11-04 11:50:19 +08:00 · 2024-11-04 11:50:19 +08:00 · 3fa1d106aa
commit 3fa1d106aa
parent 27e61067a1
2 changed files with 45 additions and 1 deletions
--- a/backport-CVE-2022-22577.patch
+++ b/backport-CVE-2022-22577.patch
@ -0,0 +1,38 @@
+From d2253115ac2b30f5f7210670af906cebf79cf809 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 8 Mar 2022 13:23:15 -0800
+Subject: [PATCH] Merge pull request #44635 from imtayadeway/tjw/api-csp-i
+
+Generate content security policy for non-HTML responses
+---
+ lib/action_dispatch/http/content_security_policy.rb | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/lib/action_dispatch/http/content_security_policy.rb b/lib/action_dispatch/http/content_security_policy.rb
+index 6f9fb11..a1d0740 100644
+--- a/lib/action_dispatch/http/content_security_policy.rb
+++ b/lib/action_dispatch/http/content_security_policy.rb
+@@ -17,7 +17,6 @@ module ActionDispatch #:nodoc:
+         request = ActionDispatch::Request.new env
+         _, headers, _ = response = @app.call(env)
+ 
+-        return response unless html_response?(headers)
+         return response if policy_present?(headers)
+ 
+         if policy = request.content_security_policy
+@@ -31,12 +30,6 @@ module ActionDispatch #:nodoc:
+ 
+       private
+ 
+-        def html_response?(headers)
+-          if content_type = headers[CONTENT_TYPE]
+-            content_type =~ /html/
+-          end
+-        end
+-
+         def header_name(request)
+           if request.content_security_policy_report_only
+             POLICY_REPORT_ONLY
+-- 
+2.27.0
+
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@ -4,7 +4,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             6
+Release:             7
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
@ -20,6 +20,8 @@ Patch3:              CVE-2023-22795.patch
 Patch3000:           CVE-2022-23633.patch
 Patch3001:           backport-CVE-2024-41128.patch
 Patch3002:           backport-CVE-2024-47887.patch
+# https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
+Patch3003:           backport-CVE-2022-22577.patch

 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
@ -53,6 +55,7 @@ Documentation for %{name}.
 pushd .%{gem_instdir}
 %patch3001 -p1
 %patch3002 -p1
+%patch3003 -p1
 popd

 %build
@ -84,6 +87,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Mon Nov 4 2024 yinzeqiang <yinzeqiang@chinaredflag.cn> - 1:5.2.4.4-7
+- Fix CVE-2022-22577
+
 * Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-6
 - Fix CVE-2024-41128 and CVE-2024-47887