File _service:obs_scm:CVE-2024-26144.patch of Package rubygem-activestorage

From 723f54566023e91060a67b03353e7c03e7436433 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafael@rubyonrails.org>
Date: Thu, 3 Aug 2023 16:00:34 -0400
Subject: [PATCH] Merge pull request #48869 from
 brunoprietog/disable-session-active-storage-proxy-controllers

Disable session in ActiveStorage blobs and representations proxy controllers

[CVE-2024-26144]
---
 activestorage/CHANGELOG.md                           |  8 ++++++++
 .../active_storage/blobs/proxy_controller.rb         |  1 +
 .../representations/proxy_controller.rb              |  1 +
 .../concerns/active_storage/disable_session.rb       | 12 ++++++++++++
 4 files changed, 22 insertions(+)
 create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb

diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
index 6ec2772717c70..438623858474e 100644
--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
@@ -9,6 +9,7 @@
 class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
   include ActiveStorage::Streaming
+  include ActiveStorage::DisableSession
 
   def show
     if request.headers["Range"].present?
diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
index 0f6c0f79978ab..7024f6534a501 100644
--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
@@ -8,6 +8,7 @@
 # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
 class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
   include ActiveStorage::Streaming
+  include ActiveStorage::DisableSession
 
   def show
     http_cache_forever public: true do
diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
new file mode 100644
index 0000000000000..200ad7c9d23ac
--- /dev/null
+++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
+module ActiveStorage::DisableSession
+  extend ActiveSupport::Concern
+
+  included do
+    before_action do
+      request.session_options[:skip] = true
+    end
+  end
+end