packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!49 Fix CVE-2023-22792 and CVE-2023-22795

Browse Source 
From: @starlet-dx 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-02-05 07:17:46 +00:00 committed by Gitee
commit d0c87cd191
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 113 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
CVE-2023-22792.patch Normal file
View File

@ -0,0 +1,80 @@
From 7a7f37f146aa977350cf914eba20a95ce371485f Mon Sep 17 00:00:00 2001
From: sabulikia <sabakiaei@gmail.com>
Date: Thu, 7 Jul 2022 16:10:20 -0400
Subject: [PATCH] Use string#split instead of regex for domain parts
[CVE-2023-22792]
---
.../lib/action_dispatch/middleware/cookies.rb | 48 +++++++++++++----------
1 file changed, 28 insertions(+), 20 deletions(-)
diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb
index 2188795..ed4a566 100644
--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb
@@ -282,20 +282,6 @@ module ActionDispatch
class CookieJar #:nodoc:
include Enumerable, ChainedCookieJars
- # This regular expression is used to split the levels of a domain.
- # The top level domain can be any string without a period or
- # **.**, ***.** style TLDs like co.uk or com.au
- #
- # www.example.co.uk gives:
- # $& => example.co.uk
- #
- # example.com gives:
- # $& => example.com
- #
- # lots.of.subdomains.example.local gives:
- # $& => example.local
- DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
-
def self.build(req, cookies)
new(req).tap do |hash|
hash.update(cookies)
@@ -365,13 +351,35 @@ module ActionDispatch
options[:path] ||= "/"
if options[:domain] == :all || options[:domain] == "all"
- # If there is a provided tld length then we use it otherwise default domain regexp.
- domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
+ cookie_domain = ""
+ dot_splitted_host = request.host.split('.', -1)
+
+ # Case where request.host is not an IP address or it's an invalid domain
+ # (ip confirms to the domain structure we expect so we explicitly check for ip)
+ if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
+ options[:domain] = nil
+ return
+ end
+
+ # If there is a provided tld length then we use it otherwise default domain.
+ if options[:tld_length].present?
+ # Case where the tld_length provided is valid
+ if dot_splitted_host.length >= options[:tld_length]
+ cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+ end
+ # Case where tld_length is not provided
+ else
+ # Regular TLDs
+ if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
+ cookie_domain = dot_splitted_host.last(2).join('.')
+ # **.**, ***.** style TLDs like co.uk and com.au
+ else
+ cookie_domain = dot_splitted_host.last(3).join('.')
+ end
+ end
- # If host is not ip and matches domain regexp.
- # (ip confirms to domain regexp so we explicitly check for ip)
- options[:domain] = if (request.host !~ /^[\d.]+$/) && (request.host =~ domain_regexp)
- ".#{$&}"
+ options[:domain] = if cookie_domain.present?
+ ".#{cookie_domain}"
end
elsif options[:domain].is_a? Array
# If host matches one of the supplied domains without a dot in front of it.
--
2.33.0

23
CVE-2023-22795.patch Normal file
View File

@ -0,0 +1,23 @@
From 484fc9185db6c6a6a49ab458b11f9366da02bab2 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Fri, 13 Jan 2023 15:54:40 -0800
Subject: [PATCH] Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
---
.../lib/action_dispatch/http/cache.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb
index 9c46c5c8a4d81..d9d6f325342ea 100644
--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb
@@ -18,7 +18,7 @@ def if_none_match
end
def if_none_match_etags
- if_none_match ? if_none_match.split(/\s*,\s*/) : []
+ if_none_match ? if_none_match.split(",").each(&:strip!) : []
end
def not_modified?(modified_at)

11
rubygem-actionpack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name}
Epoch: 1
Version: 5.2.4.4
Release: 3
Release: 4
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT
URL: http://rubyonrails.org
@ -12,6 +12,10 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
Patch0: CVE-2021-22885.patch
Patch1: CVE-2021-22904.patch
# https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f
Patch2: CVE-2023-22792.patch
# https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2
Patch3: CVE-2023-22795.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
%if ! 0%{?bootstrap}
@ -38,6 +42,8 @@ Documentation for %{name}.
%gem_install -n %{SOURCE0}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
@ -68,6 +74,9 @@ popd
%doc %{gem_instdir}/README.rdoc
%changelog
* Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-4
- Fix CVE-2023-22792 and CVE-2023-22795
* Mon Jun 28 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-3
- Fix CVE-2021-22904