pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2023Q2] pkgsrc/www/ruby-actionpack60



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Wed Jul  5 12:01:27 UTC 2023

Modified Files:
        pkgsrc/www/ruby-actionpack60 [pkgsrc-2023Q2]: Makefile distinfo
Added Files:
        pkgsrc/www/ruby-actionpack60/patches [pkgsrc-2023Q2]:
            patch-lib_action__controller_metal_redirecting.rb

Log Message:
Pullup ticket #6772 - requested by taca
www/ruby-actionpack60: security fix (CVE-2023-28362)

Revisions pulled up:
- www/ruby-actionpack60/Makefile                                1.6
- www/ruby-actionpack60/distinfo                                1.22
- www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb 1.1

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Thu Jun 29 16:03:34 UTC 2023

   Modified Files:
        pkgsrc/www/ruby-actionpack60: Makefile distinfo
   Added Files:
        pkgsrc/www/ruby-actionpack60/patches:
            patch-lib_action__controller_metal_redirecting.rb

   Log Message:
   www/ruby-actionpack60: add fix for CVE-2023-28362

   Apply similar patch as Rails 6.1.7.4/7.0.5.1.

   Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.5.4.1 pkgsrc/www/ruby-actionpack60/Makefile
cvs rdiff -u -r1.21 -r1.21.4.1 pkgsrc/www/ruby-actionpack60/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/ruby-actionpack60/Makefile
diff -u pkgsrc/www/ruby-actionpack60/Makefile:1.5 pkgsrc/www/ruby-actionpack60/Makefile:1.5.4.1
--- pkgsrc/www/ruby-actionpack60/Makefile:1.5   Thu Jan 19 14:27:25 2023
+++ pkgsrc/www/ruby-actionpack60/Makefile       Wed Jul  5 12:01:27 2023
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.5 2023/01/19 14:27:25 taca Exp $
+# $NetBSD: Makefile,v 1.5.4.1 2023/07/05 12:01:27 bsiegert Exp $
 
 DISTNAME=      actionpack-${RAILS_VERSION}
 PKGNAME=       ${RUBY_PKGPREFIX}-actionpack${RUBY_RAILS}-${RAILS_VERSION}
+PKGREVISION=   1
 CATEGORIES=    www
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost

Index: pkgsrc/www/ruby-actionpack60/distinfo
diff -u pkgsrc/www/ruby-actionpack60/distinfo:1.21 pkgsrc/www/ruby-actionpack60/distinfo:1.21.4.1
--- pkgsrc/www/ruby-actionpack60/distinfo:1.21  Thu Jan 19 14:27:25 2023
+++ pkgsrc/www/ruby-actionpack60/distinfo       Wed Jul  5 12:01:27 2023
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.21 2023/01/19 14:27:25 taca Exp $
+$NetBSD: distinfo,v 1.21.4.1 2023/07/05 12:01:27 bsiegert Exp $
 
 BLAKE2s (actionpack-6.0.6.1.gem) = 00f6f3cfdcb407dc89f20fb9cd83e74bb8a6cfed3b4a091435cea31a038a4905
 SHA512 (actionpack-6.0.6.1.gem) = 56bfa53909b22fd94d9065503ab250a7a6fa2535037d1f8e1a5065d947ce5e140530b52f2948163d6a43f2b31c01f65ad29cf0f1d007c0941eef6d7fdc6e1cf2
 Size (actionpack-6.0.6.1.gem) = 218624 bytes
+SHA1 (patch-lib_action__controller_metal_redirecting.rb) = b30440c1ed272d9cddf7a997240224f75f800577

Added files:

Index: pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb
diff -u /dev/null pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb:1.1.2.2
--- /dev/null   Wed Jul  5 12:01:27 2023
+++ pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb      Wed Jul  5 12:01:27 2023
@@ -0,0 +1,30 @@
+$NetBSD: patch-lib_action__controller_metal_redirecting.rb,v 1.1.2.2 2023/07/05 12:01:27 bsiegert Exp $
+
+Fix for CVE-2023-28362.
+
+--- lib/action_controller/metal/redirecting.rb.orig    2023-06-27 15:31:15.462755078 +0000
++++ lib/action_controller/metal/redirecting.rb
+@@ -7,6 +7,10 @@ module ActionController
+     include AbstractController::Logger
+     include ActionController::UrlFor
+ 
++    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
++
++    class UnsafeRedirectError < StandardError; end
++
+     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+     #
+     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
+@@ -60,7 +64,11 @@ module ActionController
+       raise AbstractController::DoubleRenderError if response_body
+ 
+       self.status        = _extract_redirect_to_status(options, response_options)
+-      self.location      = _compute_redirect_to_location(request, options)
++
++      redirect_to_location = _compute_redirect_to_location(request, options)
++      _ensure_url_is_http_header_safe(redirect_to_location)
++
++      self.location      = redirect_to_location
+       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+     end
+ 



Home | Main Index | Thread Index | Old Index