Projects
Eulaceura:Mainline
rubygem-actionpack
_service:obs_scm:fix-CVE-2024-28103.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:fix-CVE-2024-28103.patch of Package rubygem-actionpack
From 35858f1d9d57f6c4050a8d9ab754bd5d088b4523 Mon Sep 17 00:00:00 2001 From: Zack Deveau <zack.ref@gmail.com> Date: Tue, 27 Feb 2024 10:03:50 -0500 Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103] The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This change allows all Content-Types to serve the configured Permissions-Policy as there are many non-HTML Content-Types that would benefit from this header. (examples include image/svg+xml and application/xml) --- .../lib/action_dispatch/http/permissions_policy.rb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb b/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb index 5666ad0..6ec9087 100644 --- a/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb +++ b/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb @@ -37,7 +37,6 @@ module ActionDispatch # :nodoc: request = ActionDispatch::Request.new(env) _, headers, _ = response = @app.call(env) - return response unless html_response?(headers) return response if policy_present?(headers) if policy = request.permissions_policy @@ -52,12 +51,6 @@ module ActionDispatch # :nodoc: end private - def html_response?(headers) - if content_type = headers[CONTENT_TYPE] - /html/.match?(content_type) - end - end - def policy_present?(headers) headers[POLICY] end -- 2.27.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2