Fix CVE-2022-45442

2024-11-20 09:32:45 +08:00 · 2024-11-20 09:32:45 +08:00 · 1fabbed011
commit 1fabbed011
parent 32da2c7515
5 changed files with 136 additions and 34 deletions
--- a/Fix-broken-spec.patch
+++ b/Fix-broken-spec.patch
@ -0,0 +1,29 @@
+From 5baa1c8ddcadfdfe07b74c2a72fc9a29121851fd Mon Sep 17 00:00:00 2001
+From: Jordan Owens <jkowens@gmail.com>
+Date: Sun, 22 Jan 2023 19:28:40 -0500
+Subject: [PATCH] Fix broken spec
+
+HTTP ranges with non decimal characters is treated as range 0..0 as of Rack 2.2.6.2.
+
+Origin:
+https://github.com/sinatra/sinatra/commit/5baa1c8ddcadfdfe07b74c2a72fc9a29121851fd
+---
+ test/static_test.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/static_test.rb b/test/static_test.rb
+index d0cbbb0..5e3c34d 100644
+--- a/test/static_test.rb
+++ b/test/static_test.rb
+@@ -153,7 +153,7 @@ class StaticTest < Minitest::Test
+ 
+   it 'correctly ignores syntactically invalid range requests' do
+     # ...and also ignores multi-range requests, which aren't supported yet
+-    ["bytes=45-40", "bytes=IV-LXVI", "octets=10-20", "bytes=-", "bytes=1-2,3-4"].each do |http_range|
+    ["bytes=45-40", "octets=10-20", "bytes=", "bytes=3-1,4-5"].each do |http_range|
+       request = Rack::MockRequest.new(@app)
+       response = request.get("/#{File.basename(__FILE__)}", 'HTTP_RANGE' => http_range)
+ 
+-- 
+2.27.0
+
--- a/Fix-failing-tests.patch
+++ b/Fix-failing-tests.patch
@ -1,25 +0,0 @@
-From 750aa3b0de06dad41539bdb402123b5416a3475d Mon Sep 17 00:00:00 2001
-From: Jordan Owens <jkowens@gmail.com>
-Date: Tue, 10 Mar 2020 10:24:05 -0400
-Subject: [PATCH] Fix failing tests
-
-Rack added support for Multi-part ranges and apparently changed the
-format of cookie expires timestamp format to match specs.
---
- test/static_test.rb |  3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-diff --git a/test/static_test.rb b/test/static_test.rb
-index e8408b14e..1c6cb35e9 100644
--- a/test/static_test.rb
-+++ b/test/static_test.rb
-@@ -152,8 +152,7 @@ def assert_valid_range(http_range, range, path, file)
-   end
- 
-   it 'correctly ignores syntactically invalid range requests' do
-    # ...and also ignores multi-range requests, which aren't supported yet
-    ["bytes=45-40", "bytes=IV-LXVI", "octets=10-20", "bytes=-", "bytes=1-2,3-4"].each do |http_range|
-+    ["bytes=45-40", "bytes=IV-LXVI", "octets=10-20", "bytes=", "bytes=3-1,4-5"].each do |http_range|
-       request = Rack::MockRequest.new(@app)
-       response = request.get("/#{File.basename(__FILE__)}", 'HTTP_RANGE' => http_range)
- 
--- a/backport-CVE-2022-45442-test.patch
+++ b/backport-CVE-2022-45442-test.patch
@ -0,0 +1,40 @@
+From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
+From: namusyaka <namusyaka@gmail.com>
+Date: Wed, 23 Nov 2022 22:24:02 +0900
+Subject: [PATCH] escape filename in the Content-Disposition header
+
+According the multipart form data spec in WHATWG living standard.
+Ref: https://html.spec.whatwg.org/#multipart-form-data
+
+Origin:
+https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
+---
+ test/helpers_test.rb | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/test/helpers_test.rb b/test/helpers_test.rb
+index 52d5fbc..217c9fc 100644
+--- a/test/helpers_test.rb
+++ b/test/helpers_test.rb
+@@ -781,6 +781,18 @@ class HelpersTest < Minitest::Test
+       assert_equal '<sinatra></sinatra>', body
+     end
+ 
+    it 'escapes filename in the Content-Disposition header according to the multipart form data spec in WHATWG living standard' do
+      mock_app do
+        get('/attachment') do
+          attachment "test.xml\";\r\next=.txt"
+          response.write("<sinatra></sinatra>")
+        end
+      end
+
+      get '/attachment'
+      assert_equal 'attachment; filename="test.xml%22;%0D%0Aext=.txt"', response['Content-Disposition']
+      assert_equal '<sinatra></sinatra>', body
+    end
+   end
+ 
+   describe 'send_file' do
+-- 
+2.47.0
+
--- a/backport-CVE-2022-45442.patch
+++ b/backport-CVE-2022-45442.patch
@ -0,0 +1,51 @@
+From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
+From: namusyaka <namusyaka@gmail.com>
+Date: Wed, 23 Nov 2022 22:24:02 +0900
+Subject: [PATCH] escape filename in the Content-Disposition header
+
+According the multipart form data spec in WHATWG living standard.
+Ref: https://html.spec.whatwg.org/#multipart-form-data
+
+Origin:
+https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
+---
+ lib/sinatra/base.rb | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index 727078d..ccd5c85 100644
+--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
+@@ -357,16 +357,23 @@ module Sinatra
+       response['Content-Type'] = mime_type
+     end
+ 
+    # https://html.spec.whatwg.org/#multipart-form-data
+    MULTIPART_FORM_DATA_REPLACEMENT_TABLE = {
+      '"'  => '%22',
+      "\r" => '%0D',
+      "\n" => '%0A'
+    }.freeze
+
+     # Set the Content-Disposition to "attachment" with the specified filename,
+     # instructing the user agents to prompt to save.
+     def attachment(filename = nil, disposition = :attachment)
+       response['Content-Disposition'] = disposition.to_s
+-      if filename
+-        params = '; filename="%s"' % File.basename(filename)
+-        response['Content-Disposition'] << params
+-        ext = File.extname(filename)
+-        content_type(ext) unless response['Content-Type'] or ext.empty?
+-      end
+      return unless filename
+
+      params = format('; filename="%s"', File.basename(filename).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE))
+      response['Content-Disposition'] << params
+      ext = File.extname(filename)
+      content_type(ext) unless response['Content-Type'] || ext.empty?
+     end
+ 
+     # Use the contents of the file at +path+ as the response body.
+-- 
+2.47.0
+
--- a/rubygem-sinatra.spec
+++ b/rubygem-sinatra.spec
@ -3,12 +3,17 @@
 Summary:             Ruby-based web application framework
 Name:                rubygem-%{gem_name}
 Version:             2.0.3
-Release:             2
+Release:             3
 License:             MIT
 URL:                 http://www.sinatrarb.com/
 Source0:             https://rubygems.org/gems/sinatra-%{version}.gem
 Source1:             https://github.com/sinatra/sinatra/archive/v%{version}.tar.gz
-Patch0:              Fix-failing-tests.patch
+Patch0:              Fix-broken-spec.patch
+
+# Security fix
+Patch3000:           backport-CVE-2022-45442.patch
+Patch3001:           backport-CVE-2022-45442-test.patch
+
 BuildRequires:       rubygems-devel
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(rack) >= 2.0 rubygem(rack-protection) = %{version} rubygem(tilt)
@ -29,12 +34,13 @@ Obsoletes:           %{name}-doc < %{version}-%{release}
 This package contains documentation for %{name}.

 %prep
-gem unpack %{SOURCE0}
-%setup -q -D -T -n  %{gem_name}-%{version}
-gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
+%setup -q -n %{gem_name}-%{version} -b 1
+%patch0 -p1
+%patch3000 -p1
+%patch3001 -p1

 %build
-gem build %{gem_name}.gemspec
+gem build ../%{gem_name}-%{version}.gemspec
 %gem_install

 %install
@ -46,9 +52,7 @@ sed -i -e 's|^#!/usr/bin/env ruby|#!/usr/bin/ruby|' \
 %check
 %if ! 0%{?bootstrap}
 pushd .%{gem_instdir}
-tar xzvf %{SOURCE1}
-cd %{gem_name}-%{version}
-cat %{PATCH0} | patch -p1
+ln -s %{_builddir}/%{gem_name}-%{version}/test test
 for FILE in $(grep -rl '^require.*bundler.*' test/); do
  sed -i "/^require 'bundler.*'/ s/^/#/" ${FILE}
 done
@ -80,6 +84,9 @@ popd
 %{gem_instdir}/examples

 %changelog
+* Wed Nov 20 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.0.3-3
+- Fix CVE-2022-45442
+
 * Fri Dec 03 2021 xu_ping <xuping33@huawei.com> - 2.0.3-2
 - Fix tests failed