pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/ruby-actionpack60
Module Name: pkgsrc
Committed By: taca
Date: Thu Jun 29 16:03:34 UTC 2023
Modified Files:
pkgsrc/www/ruby-actionpack60: Makefile distinfo
Added Files:
pkgsrc/www/ruby-actionpack60/patches:
patch-lib_action__controller_metal_redirecting.rb
Log Message:
www/ruby-actionpack60: add fix for CVE-2023-28362
Apply similar patch as Rails 6.1.7.4/7.0.5.1.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 pkgsrc/www/ruby-actionpack60/Makefile
cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/ruby-actionpack60/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/ruby-actionpack60/Makefile
diff -u pkgsrc/www/ruby-actionpack60/Makefile:1.5 pkgsrc/www/ruby-actionpack60/Makefile:1.6
--- pkgsrc/www/ruby-actionpack60/Makefile:1.5 Thu Jan 19 14:27:25 2023
+++ pkgsrc/www/ruby-actionpack60/Makefile Thu Jun 29 16:03:34 2023
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.5 2023/01/19 14:27:25 taca Exp $
+# $NetBSD: Makefile,v 1.6 2023/06/29 16:03:34 taca Exp $
DISTNAME= actionpack-${RAILS_VERSION}
PKGNAME= ${RUBY_PKGPREFIX}-actionpack${RUBY_RAILS}-${RAILS_VERSION}
+PKGREVISION= 1
CATEGORIES= www
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
Index: pkgsrc/www/ruby-actionpack60/distinfo
diff -u pkgsrc/www/ruby-actionpack60/distinfo:1.21 pkgsrc/www/ruby-actionpack60/distinfo:1.22
--- pkgsrc/www/ruby-actionpack60/distinfo:1.21 Thu Jan 19 14:27:25 2023
+++ pkgsrc/www/ruby-actionpack60/distinfo Thu Jun 29 16:03:34 2023
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.21 2023/01/19 14:27:25 taca Exp $
+$NetBSD: distinfo,v 1.22 2023/06/29 16:03:34 taca Exp $
BLAKE2s (actionpack-6.0.6.1.gem) = 00f6f3cfdcb407dc89f20fb9cd83e74bb8a6cfed3b4a091435cea31a038a4905
SHA512 (actionpack-6.0.6.1.gem) = 56bfa53909b22fd94d9065503ab250a7a6fa2535037d1f8e1a5065d947ce5e140530b52f2948163d6a43f2b31c01f65ad29cf0f1d007c0941eef6d7fdc6e1cf2
Size (actionpack-6.0.6.1.gem) = 218624 bytes
+SHA1 (patch-lib_action__controller_metal_redirecting.rb) = b30440c1ed272d9cddf7a997240224f75f800577
Added files:
Index: pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb
diff -u /dev/null pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb:1.1
--- /dev/null Thu Jun 29 16:03:34 2023
+++ pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb Thu Jun 29 16:03:34 2023
@@ -0,0 +1,30 @@
+$NetBSD: patch-lib_action__controller_metal_redirecting.rb,v 1.1 2023/06/29 16:03:34 taca Exp $
+
+Fix for CVE-2023-28362.
+
+--- lib/action_controller/metal/redirecting.rb.orig 2023-06-27 15:31:15.462755078 +0000
++++ lib/action_controller/metal/redirecting.rb
+@@ -7,6 +7,10 @@ module ActionController
+ include AbstractController::Logger
+ include ActionController::UrlFor
+
++ ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
++
++ class UnsafeRedirectError < StandardError; end
++
+ # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+ #
+ # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
+@@ -60,7 +64,11 @@ module ActionController
+ raise AbstractController::DoubleRenderError if response_body
+
+ self.status = _extract_redirect_to_status(options, response_options)
+- self.location = _compute_redirect_to_location(request, options)
++
++ redirect_to_location = _compute_redirect_to_location(request, options)
++ _ensure_url_is_http_header_safe(redirect_to_location)
++
++ self.location = redirect_to_location
+ self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+ end
+
Home |
Main Index |
Thread Index |
Old Index