pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/www/ruby-actionpack52

Module Name:    pkgsrc
Committed By:   taca
Date:           Thu Jun 29 16:00:08 UTC 2023

Modified Files:
        pkgsrc/www/ruby-actionpack52: Makefile distinfo
Added Files:
        pkgsrc/www/ruby-actionpack52/patches:
            patch-lib_action__controller_metal_redirecting.rb

Log Message:
www/ruby-actionpack52: add fix for CVE-2023-28362

Apply similar patch as Rails 6.1.7.4/7.0.5.1.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-actionpack52/Makefile
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/ruby-actionpack52/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: pkgsrc/www/ruby-actionpack52/Makefile
diff -u pkgsrc/www/ruby-actionpack52/Makefile:1.3 pkgsrc/www/ruby-actionpack52/Makefile:1.4
--- pkgsrc/www/ruby-actionpack52/Makefile:1.3   Wed Jan  4 15:22:02 2023
+++ pkgsrc/www/ruby-actionpack52/Makefile       Thu Jun 29 16:00:07 2023
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.3 2023/01/04 15:22:02 taca Exp $
+# $NetBSD: Makefile,v 1.4 2023/06/29 16:00:07 taca Exp $
 
 DISTNAME=      actionpack-${RAILS_VERSION}
 PKGNAME=       ${RUBY_PKGPREFIX}-actionpack${RUBY_RAILS}-${RAILS_VERSION}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    www
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost

Index: pkgsrc/www/ruby-actionpack52/distinfo
diff -u pkgsrc/www/ruby-actionpack52/distinfo:1.15 pkgsrc/www/ruby-actionpack52/distinfo:1.16
--- pkgsrc/www/ruby-actionpack52/distinfo:1.15  Wed Jul 13 14:41:08 2022
+++ pkgsrc/www/ruby-actionpack52/distinfo       Thu Jun 29 16:00:07 2023
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.15 2022/07/13 14:41:08 taca Exp $
+$NetBSD: distinfo,v 1.16 2023/06/29 16:00:07 taca Exp $
 
 BLAKE2s (actionpack-5.2.8.1.gem) = 027393689d47bdfee362ff34fa6d46c7a48ab23c314282f75fe73e06a25386e9
 SHA512 (actionpack-5.2.8.1.gem) = cb16e2293630bae2448c7a8960d8911f11b09c9884223f21a906964278c748105eb39dbdcb3b2bd055fe1c9df0e7d65c0480cb74645f3b92276a68abd3ab6235
 Size (actionpack-5.2.8.1.gem) = 214528 bytes
+SHA1 (patch-lib_action__controller_metal_redirecting.rb) = bb27a883242fdfd89c9ab51f8f38a43e17ef314c

Added files:

Index: pkgsrc/www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb
diff -u /dev/null pkgsrc/www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb:1.1
--- /dev/null   Thu Jun 29 16:00:08 2023
+++ pkgsrc/www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb      Thu Jun 29 16:00:07 2023
@@ -0,0 +1,47 @@
+$NetBSD: patch-lib_action__controller_metal_redirecting.rb,v 1.1 2023/06/29 16:00:07 taca Exp $
+
+Fix for CVE-2023-28362.
+
+--- lib/action_controller/metal/redirecting.rb.orig    2023-06-27 15:27:33.969182379 +0000
++++ lib/action_controller/metal/redirecting.rb
+@@ -7,6 +7,10 @@ module ActionController
+     include AbstractController::Logger
+     include ActionController::UrlFor
+ 
++    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
++
++    class UnsafeRedirectError < StandardError; end
++
+     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+     #
+     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
+@@ -60,7 +64,11 @@ module ActionController
+       raise AbstractController::DoubleRenderError if response_body
+ 
+       self.status        = _extract_redirect_to_status(options, response_status)
+-      self.location      = _compute_redirect_to_location(request, options)
++
++      redirect_to_location = _compute_redirect_to_location(request, options)
++      _ensure_url_is_http_header_safe(redirect_to_location)
++
++      self.location      = redirect_to_location
+       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+     end
+ 
+@@ -129,5 +137,16 @@ module ActionController
+       rescue ArgumentError, URI::Error
+         false
+       end
++
++      def _ensure_url_is_http_header_safe(url)
++        # Attempt to comply with the set of valid token characters
++        # defined for an HTTP header value in
++        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
++        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
++          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
++            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6";
++          raise UnsafeRedirectError, msg
++        end
++      end
+   end
+ end
Home | Main Index | Thread Index | Old Index