CVS commit: [pkgsrc-2023Q2] pkgsrc/www/ruby-actionpack52

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2023Q2] pkgsrc/www/ruby-actionpack52
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Wed, 5 Jul 2023 11:58:47 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Wed Jul  5 11:58:47 UTC 2023

Modified Files:
        pkgsrc/www/ruby-actionpack52 [pkgsrc-2023Q2]: distinfo
Added Files:
        pkgsrc/www/ruby-actionpack52/patches [pkgsrc-2023Q2]:
            patch-lib_action__controller_metal_redirecting.rb

Log Message:
Pullup ticket #6771 - requested by taca
www/ruby-actionpack52: security fix (CVE-2023-28362)

Revisions pulled up:
- www/ruby-actionpack52/Makefile                                1.4-1.5
- www/ruby-actionpack52/distinfo                                1.16
- www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb 1.1

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Thu Jun 29 16:00:08 UTC 2023

   Modified Files:
        pkgsrc/www/ruby-actionpack52: Makefile distinfo
   Added Files:
        pkgsrc/www/ruby-actionpack52/patches:
            patch-lib_action__controller_metal_redirecting.rb

   Log Message:
   www/ruby-actionpack52: add fix for CVE-2023-28362

   Apply similar patch as Rails 6.1.7.4/7.0.5.1.

   Bump PKGREVISION.

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Thu Jun 29 16:01:04 UTC 2023

   Modified Files:
        pkgsrc/www/ruby-actionpack52: Makefile

   Log Message:
   www/ruby-actionpack60: decrement PKGREVISION.

   PKGREVISION++ is enough...


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.15.8.1 pkgsrc/www/ruby-actionpack52/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/ruby-actionpack52/distinfo
diff -u pkgsrc/www/ruby-actionpack52/distinfo:1.15 pkgsrc/www/ruby-actionpack52/distinfo:1.15.8.1
--- pkgsrc/www/ruby-actionpack52/distinfo:1.15  Wed Jul 13 14:41:08 2022
+++ pkgsrc/www/ruby-actionpack52/distinfo       Wed Jul  5 11:58:46 2023
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.15 2022/07/13 14:41:08 taca Exp $
+$NetBSD: distinfo,v 1.15.8.1 2023/07/05 11:58:46 bsiegert Exp $
 
 BLAKE2s (actionpack-5.2.8.1.gem) = 027393689d47bdfee362ff34fa6d46c7a48ab23c314282f75fe73e06a25386e9
 SHA512 (actionpack-5.2.8.1.gem) = cb16e2293630bae2448c7a8960d8911f11b09c9884223f21a906964278c748105eb39dbdcb3b2bd055fe1c9df0e7d65c0480cb74645f3b92276a68abd3ab6235
 Size (actionpack-5.2.8.1.gem) = 214528 bytes
+SHA1 (patch-lib_action__controller_metal_redirecting.rb) = bb27a883242fdfd89c9ab51f8f38a43e17ef314c

Added files:

Index: pkgsrc/www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb
diff -u /dev/null pkgsrc/www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb:1.1.2.2
--- /dev/null   Wed Jul  5 11:58:47 2023
+++ pkgsrc/www/ruby-actionpack52/patches/patch-lib_action__controller_metal_redirecting.rb      Wed Jul  5 11:58:47 2023
@@ -0,0 +1,47 @@
+$NetBSD: patch-lib_action__controller_metal_redirecting.rb,v 1.1.2.2 2023/07/05 11:58:47 bsiegert Exp $
+
+Fix for CVE-2023-28362.
+
+--- lib/action_controller/metal/redirecting.rb.orig    2023-06-27 15:27:33.969182379 +0000
++++ lib/action_controller/metal/redirecting.rb
+@@ -7,6 +7,10 @@ module ActionController
+     include AbstractController::Logger
+     include ActionController::UrlFor
+ 
++    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
++
++    class UnsafeRedirectError < StandardError; end
++
+     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+     #
+     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
+@@ -60,7 +64,11 @@ module ActionController
+       raise AbstractController::DoubleRenderError if response_body
+ 
+       self.status        = _extract_redirect_to_status(options, response_status)
+-      self.location      = _compute_redirect_to_location(request, options)
++
++      redirect_to_location = _compute_redirect_to_location(request, options)
++      _ensure_url_is_http_header_safe(redirect_to_location)
++
++      self.location      = redirect_to_location
+       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+     end
+ 
+@@ -129,5 +137,16 @@ module ActionController
+       rescue ArgumentError, URI::Error
+         false
+       end
++
++      def _ensure_url_is_http_header_safe(url)
++        # Attempt to comply with the set of valid token characters
++        # defined for an HTTP header value in
++        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
++        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
++          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
++            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6";
++          raise UnsafeRedirectError, msg
++        end
++      end
+   end
+ end

Prev by Date: CVS commit: [pkgsrc-2023Q2] pkgsrc/lang
Next by Date: CVS commit: [pkgsrc-2023Q2] pkgsrc/www/ruby-actionpack60
Previous by Thread: CVS commit: [pkgsrc-2023Q2] pkgsrc/lang
Next by Thread: CVS commit: [pkgsrc-2023Q2] pkgsrc/www/ruby-actionpack60
Indexes:

Home | Main Index | Thread Index | Old Index