[rubygem-actionpack/f15] Fix for CVE-2012-2694.
Vít Ondruch
vondruch at fedoraproject.org
Mon Jun 18 11:22:04 UTC 2012
commit 57c69fbf4684b173d1c3b46c01c9cdc46be725c0
Author: Vít Ondruch <vondruch at redhat.com>
Date: Mon Jun 18 12:01:04 2012 +0200
Fix for CVE-2012-2694.
...-parameters-should-not-contain-nil-values.patch | 54 ++++++++++++++++++++
rubygem-actionpack.spec | 12 ++++-
2 files changed, 64 insertions(+), 2 deletions(-)
---
diff --git a/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch b/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch
new file mode 100644
index 0000000..5407b0a
--- /dev/null
+++ b/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch
@@ -0,0 +1,54 @@
+From 01cf25055226c74394f08ca356011ef520c662f1 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sun, 10 Jun 2012 22:44:54 -0500
+Subject: [PATCH] Array parameters should not contain nil values.
+
+---
+ actionpack/lib/action_dispatch/http/request.rb | 6 ++++--
+ .../dispatch/request/query_string_parsing_test.rb | 4 ++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
+index 985b730..04b4a21 100644
+--- a/actionpack/lib/action_dispatch/http/request.rb
++++ b/actionpack/lib/action_dispatch/http/request.rb
+@@ -262,17 +262,19 @@ module ActionDispatch
+
+ # Remove nils from the params hash
+ def deep_munge(hash)
++ keys = hash.keys.find_all { |k| hash[k] == [nil] }
++ keys.each { |k| hash[k] = nil }
++
+ hash.each_value do |v|
+ case v
+ when Array
+ v.grep(Hash) { |x| deep_munge(x) }
++ v.compact!
+ when Hash
+ deep_munge(v)
+ end
+ end
+
+- keys = hash.keys.find_all { |k| hash[k] == [nil] }
+- keys.each { |k| hash[k] = nil }
+ hash
+ end
+
+diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb
+index c7ab700..8ea14df 100644
+--- a/actionpack/test/dispatch/request/query_string_parsing_test.rb
++++ b/actionpack/test/dispatch/request/query_string_parsing_test.rb
+@@ -89,6 +89,10 @@ class QueryStringParsingTest < ActionController::IntegrationTest
+ assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
+ end
+
++ def test_array_parses_without_nil
++ assert_parses({"action" => ['1']}, "action[]=1&action[]")
++ end
++
+ test "query string with empty key" do
+ assert_parses(
+ { "action" => "create_customer", "full_name" => "David Heinemeier Hansson" },
+--
+1.7.5.4
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 7d68604..c6dfdd5 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Epoch: 1
Version: 3.0.5
-Release: 8%{?dist}
+Release: 9%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -68,7 +68,11 @@ Patch10: actionpack-CVE-2012-1099-select-options-XSS.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=827353
Patch11: actionpack-3.0.13-CVE-2012-2660-strip-nil-from-parameters-hash.patch
-Requires: rubygems
+# Fixes CVE-2012-2694
+# https://bugzilla.redhat.com/show_bug.cgi?id=831581
+Patch12: atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch
+
+Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
Requires: rubygem(builder) = 2.1.2
@@ -132,6 +136,7 @@ pushd .%{geminstdir}
%patch9 -p2
%patch10 -p2
%patch11 -p2
+%patch12 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -203,6 +208,9 @@ rake test --trace
%changelog
+* Mon Jun 18 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.5-9
+- Fix for CVE-2012-2694.
+
* Mon Jun 04 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.5-8
- Fix for CVE-2012-2660.
More information about the scm-commits
mailing list