[rubygem-actionpack/f19] Fix CVE-2014-7818 (rhbz#1163511) and CVE-2014-7829 (rhbz#1165077)
Josef Stribny
jstribny at fedoraproject.org
Tue Nov 18 14:57:59 UTC 2014
commit f779fb7029f6f2df02bf7abc206825bf6baf6925
Author: Josef Stribny <jstribny at redhat.com>
Date: Tue Nov 18 15:57:46 2014 +0100
Fix CVE-2014-7818 (rhbz#1163511) and CVE-2014-7829 (rhbz#1165077)
rubygem-actionpack-3.2.20-CVE-2014-7818.patch | 86 +++++++++++++++++++++
rubygem-actionpack-3.2.21-CVE-2014-7829.patch | 100 +++++++++++++++++++++++++
rubygem-actionpack.spec | 13 +++-
3 files changed, 198 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-actionpack-3.2.20-CVE-2014-7818.patch b/rubygem-actionpack-3.2.20-CVE-2014-7818.patch
new file mode 100644
index 0000000..ece41b7
--- /dev/null
+++ b/rubygem-actionpack-3.2.20-CVE-2014-7818.patch
@@ -0,0 +1,86 @@
+From c2a0c67d5dbfd127d2785ddecbe0a012f1b24e7e Mon Sep 17 00:00:00 2001
+From: Josef Stribny <jstribny at redhat.com>
+Date: Tue, 18 Nov 2014 15:42:12 +0100
+Subject: [PATCH 1/2] FileHandler should not be called for files outside the
+ root
+
+---
+ lib/action_dispatch/middleware/static.rb | 21 ++++++++++++++++++++-
+ test/dispatch/static_test.rb | 18 ++++++++++++++++++
+ 2 files changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/lib/action_dispatch/middleware/static.rb b/lib/action_dispatch/middleware/static.rb
+index a8d1765..7f11170 100644
+--- a/lib/action_dispatch/middleware/static.rb
++++ b/lib/action_dispatch/middleware/static.rb
+@@ -12,7 +12,7 @@ module ActionDispatch
+ def match?(path)
+ path = path.dup
+
+- full_path = path.empty? ? @root : File.join(@root, escape_glob_chars(unescape_path(path)))
++ full_path = path.empty? ? @root : File.join(@root, escape_glob_chars(clean_path_info(unescape_path(path))))
+ paths = "#{full_path}#{ext}"
+
+ matches = Dir[paths]
+@@ -42,6 +42,25 @@ module ActionDispatch
+ path.force_encoding('binary') if path.respond_to? :force_encoding
+ path.gsub(/[*?{}\[\]]/, "\\\\\\&")
+ end
++
++ private
++
++ PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
++
++ def clean_path_info(path_info)
++ parts = path_info.split PATH_SEPS
++
++ clean = []
++
++ parts.each do |part|
++ next if part.empty? || part == '.'
++ part == '..' ? clean.pop : clean << part
++ end
++
++ clean.unshift '/' if parts.empty? || parts.first.empty?
++
++ ::File.join(*clean)
++ end
+ end
+
+ class Static
+diff --git a/test/dispatch/static_test.rb b/test/dispatch/static_test.rb
+index 856746c..c546dc0 100644
+--- a/test/dispatch/static_test.rb
++++ b/test/dispatch/static_test.rb
+@@ -139,11 +139,29 @@ class StaticTest < ActiveSupport::TestCase
+ DummyApp = lambda { |env|
+ [200, {"Content-Type" => "text/plain"}, ["Hello, World!"]]
+ }
++ Root = "#{FIXTURE_LOAD_PATH}/public"
+ App = ActionDispatch::Static.new(DummyApp, "#{FIXTURE_LOAD_PATH}/public", "public, max-age=60")
+
+ def setup
+ @app = App
++ @root = Root
+ end
+
+ include StaticTests
++
++ def test_custom_handler_called_when_file_is_outside_root
++ filename = 'shared.html.erb'
++ assert File.exist?(File.join(@root, '..', filename))
++ env = {
++ "REQUEST_METHOD"=>"GET",
++ "REQUEST_PATH"=>"/..%2F#{filename}",
++ "PATH_INFO"=>"/..%2F#{filename}",
++ "REQUEST_URI"=>"/..%2F#{filename}",
++ "HTTP_VERSION"=>"HTTP/1.1",
++ "SERVER_NAME"=>"localhost",
++ "SERVER_PORT"=>"8080",
++ "QUERY_STRING"=>""
++ }
++ assert_equal(DummyApp.call(nil), @app.call(env))
++ end
+ end
+--
+1.9.3
diff --git a/rubygem-actionpack-3.2.21-CVE-2014-7829.patch b/rubygem-actionpack-3.2.21-CVE-2014-7829.patch
new file mode 100644
index 0000000..926a213
--- /dev/null
+++ b/rubygem-actionpack-3.2.21-CVE-2014-7829.patch
@@ -0,0 +1,100 @@
+From c4638d974cb28a8ffd3305b10401e52c61ebb7d8 Mon Sep 17 00:00:00 2001
+From: Josef Stribny <jstribny at redhat.com>
+Date: Tue, 18 Nov 2014 15:44:09 +0100
+Subject: [PATCH] correctly escape backslashes in request path globs
+
+---
+ lib/action_dispatch/middleware/static.rb | 9 +++----
+ test/dispatch/static_test.rb | 41 ++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+), 4 deletions(-)
+
+diff --git a/lib/action_dispatch/middleware/static.rb b/lib/action_dispatch/middleware/static.rb
+index 7f11170..de091b2 100644
+--- a/lib/action_dispatch/middleware/static.rb
++++ b/lib/action_dispatch/middleware/static.rb
+@@ -10,13 +10,14 @@ module ActionDispatch
+ end
+
+ def match?(path)
+- path = path.dup
++ path = unescape_path(path)
++ return false unless path.valid_encoding?
+
+- full_path = path.empty? ? @root : File.join(@root, escape_glob_chars(clean_path_info(unescape_path(path))))
++ full_path = path.empty? ? @root : File.join(@root, escape_glob_chars(clean_path_info(path)))
+ paths = "#{full_path}#{ext}"
+
+ matches = Dir[paths]
+- match = matches.detect { |m| File.file?(m) }
++ match = matches.detect { |m| File.file?(m) && File.readable?(m) }
+ if match
+ match.sub!(@compiled_root, '')
+ ::Rack::Utils.escape(match)
+@@ -40,7 +41,7 @@ module ActionDispatch
+
+ def escape_glob_chars(path)
+ path.force_encoding('binary') if path.respond_to? :force_encoding
+- path.gsub(/[*?{}\[\]]/, "\\\\\\&")
++ path.gsub(/[*?{}\[\]\\]/, "\\\\\\&")
+ end
+
+ private
+diff --git a/test/dispatch/static_test.rb b/test/dispatch/static_test.rb
+index c546dc0..d2bb20b 100644
+--- a/test/dispatch/static_test.rb
++++ b/test/dispatch/static_test.rb
+@@ -1,4 +1,5 @@
+ require 'abstract_unit'
++require 'fileutils'
+ require 'rbconfig'
+
+ module StaticTests
+@@ -149,6 +150,46 @@ class StaticTest < ActiveSupport::TestCase
+
+ include StaticTests
+
++ def test_custom_handler_called_when_file_is_not_readable
++ filename = 'unreadable.html.erb'
++ target = File.join(@root, filename)
++ FileUtils.touch target
++ File.chmod 0200, target
++ assert File.exist? target
++ assert !File.readable?(target)
++ path = "/#{filename}"
++ env = {
++ "REQUEST_METHOD"=>"GET",
++ "REQUEST_PATH"=> path,
++ "PATH_INFO"=> path,
++ "REQUEST_URI"=> path,
++ "HTTP_VERSION"=>"HTTP/1.1",
++ "SERVER_NAME"=>"localhost",
++ "SERVER_PORT"=>"8080",
++ "QUERY_STRING"=>""
++ }
++ assert_equal(DummyApp.call(nil), @app.call(env))
++ ensure
++ File.unlink target
++ end
++
++ def test_custom_handler_called_when_file_is_outside_root_backslash
++ filename = 'shared.html.erb'
++ assert File.exist?(File.join(@root, '..', filename))
++ path = "/%5C..%2F#{filename}"
++ env = {
++ "REQUEST_METHOD"=>"GET",
++ "REQUEST_PATH"=> path,
++ "PATH_INFO"=> path,
++ "REQUEST_URI"=> path,
++ "HTTP_VERSION"=>"HTTP/1.1",
++ "SERVER_NAME"=>"localhost",
++ "SERVER_PORT"=>"8080",
++ "QUERY_STRING"=>""
++ }
++ assert_equal(DummyApp.call(nil), @app.call(env))
++ end
++
+ def test_custom_handler_called_when_file_is_outside_root
+ filename = 'shared.html.erb'
+ assert File.exist?(File.join(@root, '..', filename))
+--
+1.9.3
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index e21b4d9..47aea08 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -6,7 +6,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.2.13
-Release: 6%{?dist}
+Release: 7%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -44,6 +44,12 @@ Patch6: rubygem-actionpack-3.2.17-CVE-2014-0082-dos.patch
# Fix for CVE-2014-0130
Patch7: rubygem-actionpack-3.2.18-CVE-2014-0130-avoid-dir-traversal.patch
+# CVE-2014-7818: FileHandler should not be called for files outside the root
+Patch8: rubygem-actionpack-3.2.20-CVE-2014-7818.patch
+# CVE-2014-7829: Correctly escape backslashes in request path globs
+Patch9: rubygem-actionpack-3.2.21-CVE-2014-7829.patch
+
+
# Let's keep Requires and BuildRequires sorted alphabeticaly
Requires: ruby(rubygems)
Requires: rubygem(activemodel) = %{version}
@@ -113,6 +119,8 @@ pushd .%{gem_instdir}
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
+%patch9 -p1
popd
pushd .%{gem_dir}
@@ -179,6 +187,9 @@ popd
%{gem_instdir}/test/
%changelog
+* Tue Nov 18 2014 Josef Stribny <jstribny at redhat.com> - 1:3.2.13-7
+- Fix CVE-2014-7818 (rhbz#1163511) and CVE-2014-7829 (rhbz#1165077)
+
* Wed May 07 2014 Josef Stribny <jstribny at redhat.com> - 1:3.2.13-6
- Fix for CVE-2014-0130
More information about the scm-commits
mailing list