Projects
openEuler:Mainline
rubygem-actionpack
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 10
View file
_service:tar_scm:rubygem-actionpack.spec
Changed
@@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 7.0.4 -Release: 2 +Release: 3 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -23,6 +23,8 @@ # https://github.com/rails/rails/pull/45370 Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch Patch1: CVE-2023-22797.patch +Patch2: CVE-2023-28362.patch +Patch3: CVE-2023-28362-test.patch # Let's keep Requires and BuildRequires sorted alphabeticaly BuildRequires: ruby(release) @@ -61,9 +63,11 @@ %prep %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 %patch1 -p2 +%patch2 -p2 pushd %{_builddir} %patch0 -p2 +%patch3 -p2 popd %build @@ -106,6 +110,9 @@ %doc %{gem_instdir}/README.rdoc %changelog +* Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:7.0.4-3 +- Fix CVE-2023-28362 + * Mon Feb 20 2023 jiangpeng <jiangpeng01@ncti-gba.cn> - 1:7.0.4-2 - Fix CVE-2023-22797
View file
_service:tar_scm:CVE-2023-28362-test.patch
Added
@@ -0,0 +1,38 @@ +diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb +index 91a8f8512b..40bd8d68da 100644 +--- a/actionpack/test/controller/redirect_test.rb ++++ b/actionpack/test/controller/redirect_test.rb +@@ -104,6 +104,10 @@ def unsafe_redirect_protocol_relative_triple_slash + redirect_to "http:///www.rubyonrails.org/" + end + ++ def unsafe_redirect_with_illegal_http_header_value_character ++ redirect_to "javascript:alert(document.domain)\b", allow_other_host: true ++ end ++ + def only_path_redirect + redirect_to action: "other_host", only_path: true + end +@@ -556,6 +560,19 @@ def test_unsafe_redirect_with_protocol_relative_triple_slash_url + end + end + ++ def test_unsafe_redirect_with_illegal_http_header_value_character ++ with_raise_on_open_redirects do ++ error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do ++ get :unsafe_redirect_with_illegal_http_header_value_character ++ end ++ ++ msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \ ++ "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6" ++ ++ assert_equal msg, error.message ++ end ++ end ++ + def test_only_path_redirect + with_raise_on_open_redirects do + get :only_path_redirect +-- +2.39.2 +
View file
_service:tar_scm:CVE-2023-28362.patch
Added
@@ -0,0 +1,70 @@ +From 6d3e49f128c2db4cb157e058effe07781b0a66e4 Mon Sep 17 00:00:00 2001 +From: Zack Deveau <zack.ref@gmail.com> +Date: Thu, 11 May 2023 16:55:01 -0400 +Subject: PATCH Added check for illegal HTTP header value in redirect_to + +The set of legal characters for an HTTP header value is described +in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6. + +This commit adds a check to redirect_to that ensures the +provided URL does not contain any of the illegal characters. + +Downstream consumers of the resulting Location response header +may remove the header if it does not comply with the RFC. +This can result in a cross site scripting (XSS) vector by +allowing for the redirection page to sit idle waiting +for user interaction with the provided malicious link. + +CVE-2023-28362 + +Origin: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132 + +format +--- + .../action_controller/metal/redirecting.rb | 19 ++++++++++++++++++- + actionpack/test/controller/redirect_test.rb | 17 +++++++++++++++++ + 2 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb +index 0409ba7026..830b94c092 100644 +--- a/actionpack/lib/action_controller/metal/redirecting.rb ++++ b/actionpack/lib/action_controller/metal/redirecting.rb +@@ -4,6 +4,8 @@ module ActionController + module Redirecting + extend ActiveSupport::Concern + ++ ILLEGAL_HEADER_VALUE_REGEX = /\x00-\x08\x0A-\x1F/.freeze ++ + include AbstractController::Logger + include ActionController::UrlFor + +@@ -86,7 +88,11 @@ def redirect_to(options = {}, response_options = {}) + allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host } + + self.status = _extract_redirect_to_status(options, response_options) +- self.location = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host) ++ ++ redirect_to_location = _compute_redirect_to_location(request, options) ++ _ensure_url_is_http_header_safe(redirect_to_location) ++ ++ self.location = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host) + self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>" + end + +@@ -204,5 +210,16 @@ def _url_host_allowed?(url) + rescue ArgumentError, URI::Error + false + end ++ ++ def _ensure_url_is_http_header_safe(url) ++ # Attempt to comply with the set of valid token characters ++ # defined for an HTTP header value in ++ # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6 ++ if url.match(ILLEGAL_HEADER_VALUE_REGEX) ++ msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \ ++ "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6" ++ raise UnsafeRedirectError, msg ++ end ++ end + end + end
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2