[rubygem-actionpack/f17] Fix for CVE-2012-2694.
Vít Ondruch
vondruch at fedoraproject.org
Mon Jun 18 10:01:21 UTC 2012
commit 7a903ab5dd7d121ad194ed94e33c5c097ebec03f
Author: Vít Ondruch <vondruch at redhat.com>
Date: Mon Jun 18 12:01:04 2012 +0200
Fix for CVE-2012-2694.
...-parameters-should-not-contain-nil-values.patch | 54 ++++++++++++++++++++
rubygem-actionpack.spec | 10 +++-
2 files changed, 63 insertions(+), 1 deletions(-)
---
diff --git a/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch b/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch
new file mode 100644
index 0000000..5407b0a
--- /dev/null
+++ b/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch
@@ -0,0 +1,54 @@
+From 01cf25055226c74394f08ca356011ef520c662f1 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sun, 10 Jun 2012 22:44:54 -0500
+Subject: [PATCH] Array parameters should not contain nil values.
+
+---
+ actionpack/lib/action_dispatch/http/request.rb | 6 ++++--
+ .../dispatch/request/query_string_parsing_test.rb | 4 ++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
+index 985b730..04b4a21 100644
+--- a/actionpack/lib/action_dispatch/http/request.rb
++++ b/actionpack/lib/action_dispatch/http/request.rb
+@@ -262,17 +262,19 @@ module ActionDispatch
+
+ # Remove nils from the params hash
+ def deep_munge(hash)
++ keys = hash.keys.find_all { |k| hash[k] == [nil] }
++ keys.each { |k| hash[k] = nil }
++
+ hash.each_value do |v|
+ case v
+ when Array
+ v.grep(Hash) { |x| deep_munge(x) }
++ v.compact!
+ when Hash
+ deep_munge(v)
+ end
+ end
+
+- keys = hash.keys.find_all { |k| hash[k] == [nil] }
+- keys.each { |k| hash[k] = nil }
+ hash
+ end
+
+diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb
+index c7ab700..8ea14df 100644
+--- a/actionpack/test/dispatch/request/query_string_parsing_test.rb
++++ b/actionpack/test/dispatch/request/query_string_parsing_test.rb
+@@ -89,6 +89,10 @@ class QueryStringParsingTest < ActionController::IntegrationTest
+ assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]")
+ end
+
++ def test_array_parses_without_nil
++ assert_parses({"action" => ['1']}, "action[]=1&action[]")
++ end
++
+ test "query string with empty key" do
+ assert_parses(
+ { "action" => "create_customer", "full_name" => "David Heinemeier Hansson" },
+--
+1.7.5.4
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index b415e50..9e988b2 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -7,7 +7,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.0.11
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -48,6 +48,10 @@ Patch5: actionpack-CVE-2012-1099-select-options-XSS.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=827353
Patch6: actionpack-3.0.13-CVE-2012-2660-strip-nil-from-parameters-hash.patch
+# Fixes CVE-2012-2694
+# https://bugzilla.redhat.com/show_bug.cgi?id=831581
+Patch7: atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch
+
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -109,6 +113,7 @@ pushd .%{gem_instdir}
%patch4 -p2
%patch5 -p2
%patch6 -p2
+%patch7 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -185,6 +190,9 @@ rake test --trace
%changelog
+* Mon Jun 18 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-5
+- Fix for CVE-2012-2694.
+
* Mon Jun 04 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-4
- Fix for CVE-2012-2660.
More information about the scm-commits
mailing list