packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!73 Fix CVE-2022-22577

Browse Source 
From: @Higos997 
Reviewed-by: @shinwell_hu 
Signed-off-by: @shinwell_hu
This commit is contained in:
openeuler-ci-bot 2024-12-19 03:48:18 +00:00 committed by Gitee
commit fb0c725b68
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
backport-CVE-2022-22577.patch Normal file
View File

@ -0,0 +1,38 @@
From d2253115ac2b30f5f7210670af906cebf79cf809 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 8 Mar 2022 13:23:15 -0800
Subject: [PATCH] Merge pull request #44635 from imtayadeway/tjw/api-csp-i
Generate content security policy for non-HTML responses
---
lib/action_dispatch/http/content_security_policy.rb | 7 -------
1 file changed, 7 deletions(-)
diff --git a/lib/action_dispatch/http/content_security_policy.rb b/lib/action_dispatch/http/content_security_policy.rb
index 6f9fb11..a1d0740 100644
--- a/lib/action_dispatch/http/content_security_policy.rb
+++ b/lib/action_dispatch/http/content_security_policy.rb
@@ -17,7 +17,6 @@ module ActionDispatch #:nodoc:
request = ActionDispatch::Request.new env
_, headers, _ = response = @app.call(env)
- return response unless html_response?(headers)
return response if policy_present?(headers)
if policy = request.content_security_policy
@@ -31,12 +30,6 @@ module ActionDispatch #:nodoc:
private
- def html_response?(headers)
- if content_type = headers[CONTENT_TYPE]
- content_type =~ /html/
- end
- end
-
def header_name(request)
if request.content_security_policy_report_only
POLICY_REPORT_ONLY
--
2.27.0

8
rubygem-actionpack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 5.2.4.4 Version: 5.2.4.4
Release: 6 Release: 7
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -20,6 +20,8 @@ Patch3: CVE-2023-22795.patch
Patch3000: CVE-2022-23633.patch Patch3000: CVE-2022-23633.patch
Patch3001: backport-CVE-2024-41128.patch Patch3001: backport-CVE-2024-41128.patch
Patch3002: backport-CVE-2024-47887.patch Patch3002: backport-CVE-2024-47887.patch
# https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
Patch3003: backport-CVE-2022-22577.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2
%if ! 0%{?bootstrap} %if ! 0%{?bootstrap}
@ -53,6 +55,7 @@ Documentation for %{name}.
pushd .%{gem_instdir} pushd .%{gem_instdir}
%patch3001 -p1 %patch3001 -p1
%patch3002 -p1 %patch3002 -p1
%patch3003 -p1
popd popd
%build %build
@ -84,6 +87,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Mon Nov 4 2024 yinzeqiang <yinzeqiang@chinaredflag.cn> - 1:5.2.4.4-7
- Fix CVE-2022-22577
* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-6 * Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-6
- Fix CVE-2024-41128 and CVE-2024-47887 - Fix CVE-2024-41128 and CVE-2024-47887