[rubygem-actionpack/f19] Fix for CVE-2014-0130
Josef Stribny
jstribny at fedoraproject.org
Wed May 7 11:11:53 UTC 2014
commit a2941df641c734ee40a8658387cbe1a81f2d46b3
Author: Josef Stribny <jstribny at redhat.com>
Date: Wed May 7 13:11:43 2014 +0200
Fix for CVE-2014-0130
...-3.2.18-CVE-2014-0130-avoid-dir-traversal.patch | 106 ++++++++++++++++++++
rubygem-actionpack.spec | 9 ++-
2 files changed, 114 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-actionpack-3.2.18-CVE-2014-0130-avoid-dir-traversal.patch b/rubygem-actionpack-3.2.18-CVE-2014-0130-avoid-dir-traversal.patch
new file mode 100644
index 0000000..05a1036
--- /dev/null
+++ b/rubygem-actionpack-3.2.18-CVE-2014-0130-avoid-dir-traversal.patch
@@ -0,0 +1,106 @@
+diff --git a/lib/abstract_controller/base.rb b/lib/abstract_controller/base.rb
+index fd6a46f..2541125 100644
+--- a/lib/abstract_controller/base.rb
++++ b/lib/abstract_controller/base.rb
+@@ -112,7 +112,7 @@ module AbstractController
+ def process(action, *args)
+ @_action_name = action_name = action.to_s
+
+- unless action_name = method_for_action(action_name)
++ unless action_name = _find_action_name(action_name)
+ raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
+ end
+
+@@ -138,7 +138,7 @@ module AbstractController
+ # available action consider actions that are also available
+ # through other means, for example, implicit render ones.
+ def available_action?(action_name)
+- method_for_action(action_name).present?
++ _find_action_name(action_name).present?
+ end
+
+ private
+@@ -182,6 +182,23 @@ module AbstractController
+ end
+
+ # Takes an action name and returns the name of the method that will
++ # handle the action.
++ #
++ # It checks if the action name is valid and returns false otherwise.
++ #
++ # See method_for_action for more information.
++ #
++ # ==== Parameters
++ # * <tt>action_name</tt> - An action name to find a method name for
++ #
++ # ==== Returns
++ # * <tt>string</tt> - The name of the method that handles the action
++ # * false - No valid method name could be found. Raise ActionNotFound.
++ def _find_action_name(action_name)
++ _valid_action_name?(action_name) && method_for_action(action_name)
++ end
++
++ # Takes an action name and returns the name of the method that will
+ # handle the action. In normal cases, this method returns the same
+ # name as it receives. By default, if #method_for_action receives
+ # a name that is not an action, it will look for an #action_missing
+@@ -203,11 +220,16 @@ module AbstractController
+ #
+ # ==== Returns
+ # * <tt>string</tt> - The name of the method that handles the action
+- # * <tt>nil</tt> - No method name could be found. Raise ActionNotFound.
++ # * <tt>nil</tt> - No method name could be found.
+ def method_for_action(action_name)
+ if action_method?(action_name) then action_name
+ elsif respond_to?(:action_missing, true) then "_handle_action_missing"
+ end
+ end
++
++ # Checks if the action name is valid and returns false otherwise.
++ def _valid_action_name?(action_name)
++ action_name.to_s !~ Regexp.new(File::SEPARATOR)
++ end
+ end
+ end
+diff --git a/test/controller/new_base/render_implicit_action_test.rb b/test/controller/new_base/render_implicit_action_test.rb
+index 1e2191d..5b4885f 100644
+--- a/test/controller/new_base/render_implicit_action_test.rb
++++ b/test/controller/new_base/render_implicit_action_test.rb
+@@ -6,7 +6,7 @@ module RenderImplicitAction
+ "render_implicit_action/simple/hello_world.html.erb" => "Hello world!",
+ "render_implicit_action/simple/hyphen-ated.html.erb" => "Hello hyphen-ated!",
+ "render_implicit_action/simple/not_implemented.html.erb" => "Not Implemented"
+- )]
++ ), ActionView::FileSystemResolver.new(File.expand_path('../../../controller', __FILE__))]
+
+ def hello_world() end
+ end
+@@ -33,10 +33,25 @@ module RenderImplicitAction
+ assert_status 200
+ end
+
++ test "render does not traverse the file system" do
++ assert_raises(AbstractController::ActionNotFound) do
++ action_name = %w(.. .. fixtures shared).join(File::SEPARATOR)
++ SimpleController.action(action_name).call(Rack::MockRequest.env_for("/"))
++ end
++ end
++
+ test "available_action? returns true for implicit actions" do
+ assert SimpleController.new.available_action?(:hello_world)
+ assert SimpleController.new.available_action?(:"hyphen-ated")
+ assert SimpleController.new.available_action?(:not_implemented)
+ end
++
++ test "available_action? does not allow File::SEPARATOR on the name" do
++ action_name = %w(evil .. .. path).join(File::SEPARATOR)
++ assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
++
++ action_name = %w(evil path).join(File::SEPARATOR)
++ assert_equal false, SimpleController.new.available_action?(action_name.to_sym)
++ end
+ end
+ end
+--
+1.9.1
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 9cf5d5d..e21b4d9 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -6,7 +6,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.2.13
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -41,6 +41,9 @@ Patch5: rubygem-actionpack-3.2.17-CVE-2014-0081-XSS-vulnerability.patch
# Fix for CVE-2014-0082
Patch6: rubygem-actionpack-3.2.17-CVE-2014-0082-dos.patch
+# Fix for CVE-2014-0130
+Patch7: rubygem-actionpack-3.2.18-CVE-2014-0130-avoid-dir-traversal.patch
+
# Let's keep Requires and BuildRequires sorted alphabeticaly
Requires: ruby(rubygems)
Requires: rubygem(activemodel) = %{version}
@@ -109,6 +112,7 @@ pushd .%{gem_instdir}
%patch4 -p2
%patch5 -p1
%patch6 -p1
+%patch7 -p1
popd
pushd .%{gem_dir}
@@ -175,6 +179,9 @@ popd
%{gem_instdir}/test/
%changelog
+* Wed May 07 2014 Josef Stribny <jstribny at redhat.com> - 1:3.2.13-6
+- Fix for CVE-2014-0130
+
* Wed Feb 26 2014 Josef Stribny <jstribny at redhat.com> - 1:3.2.13-5
- Fix CVE-2014-0081 and CVE-2014-0082
More information about the scm-commits
mailing list