[rubygem-actionpack/f15] Fix for CVE-2012-2660.
Vít Ondruch
vondruch at fedoraproject.org
Mon Jun 4 14:09:28 UTC 2012
commit e08584293ce7929d98d0269ee833cb709c798e50
Author: Vít Ondruch <vondruch at redhat.com>
Date: Mon Jun 4 16:09:19 2012 +0200
Fix for CVE-2012-2660.
...-2012-2660-strip-nil-from-parameters-hash.patch | 69 ++++++++++++++++++++
rubygem-actionpack.spec | 11 +++-
2 files changed, 79 insertions(+), 1 deletions(-)
---
diff --git a/actionpack-3.0.13-CVE-2012-2660-strip-nil-from-parameters-hash.patch b/actionpack-3.0.13-CVE-2012-2660-strip-nil-from-parameters-hash.patch
new file mode 100644
index 0000000..8564ea9
--- /dev/null
+++ b/actionpack-3.0.13-CVE-2012-2660-strip-nil-from-parameters-hash.patch
@@ -0,0 +1,69 @@
+From c202638225519b5e1a03ebe523b109c948fb0e52 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Wed, 30 May 2012 15:13:03 -0700
+Subject: [PATCH] Strip [nil] from parameters hash. Thanks to Ben Murphy for
+ reporting this!
+
+CVE-2012-2660
+
+Conflicts:
+
+ actionpack/lib/action_dispatch/http/request.rb
+---
+ actionpack/lib/action_dispatch/http/request.rb | 22 ++++++++++++++++++++
+ .../dispatch/request/query_string_parsing_test.rb | 7 ++++++-
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
+index 7c8557b..985b730 100644
+--- a/actionpack/lib/action_dispatch/http/request.rb
++++ b/actionpack/lib/action_dispatch/http/request.rb
+@@ -257,5 +257,27 @@ module ActionDispatch
+ def local?
+ LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
+ end
++
++ protected
++
++ # Remove nils from the params hash
++ def deep_munge(hash)
++ hash.each_value do |v|
++ case v
++ when Array
++ v.grep(Hash) { |x| deep_munge(x) }
++ when Hash
++ deep_munge(v)
++ end
++ end
++
++ keys = hash.keys.find_all { |k| hash[k] == [nil] }
++ keys.each { |k| hash[k] = nil }
++ hash
++ end
++
++ def parse_query(qs)
++ deep_munge(super)
++ end
+ end
+ end
+diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb
+index 071d80c..c7ab700 100644
+--- a/actionpack/test/dispatch/request/query_string_parsing_test.rb
++++ b/actionpack/test/dispatch/request/query_string_parsing_test.rb
+@@ -81,7 +81,12 @@ class QueryStringParsingTest < ActionController::IntegrationTest
+ end
+
+ test "query string without equal" do
+- assert_parses({ "action" => nil }, "action")
++ assert_parses({"action" => nil}, "action")
++ assert_parses({"action" => {"foo" => nil}}, "action[foo]")
++ assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar]")
++ assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar][]")
++ assert_parses({"action" => {"foo" => nil}}, "action[foo][]")
++ assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
+ end
+
+ test "query string with empty key" do
+--
+1.7.10.2
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index bccb8c3..7d68604 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Epoch: 1
Version: 3.0.5
-Release: 7%{?dist}
+Release: 8%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -63,6 +63,11 @@ Patch9: actionpack-%{version}-fix-tests-failing-with-ruby-1.8.7.p357.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=799276
Patch10: actionpack-CVE-2012-1099-select-options-XSS.patch
+
+# Fixes CVE-2012-2660
+# https://bugzilla.redhat.com/show_bug.cgi?id=827353
+Patch11: actionpack-3.0.13-CVE-2012-2660-strip-nil-from-parameters-hash.patch
+
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -126,6 +131,7 @@ pushd .%{geminstdir}
%patch8 -p2
%patch9 -p2
%patch10 -p2
+%patch11 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -197,6 +203,9 @@ rake test --trace
%changelog
+* Mon Jun 04 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.5-8
+- Fix for CVE-2012-2660.
+
* Fri Mar 16 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:3.0.5-7
- The CVE patches names now contain the CVE id.
More information about the scm-commits
mailing list