From 57c69fbf4684b173d1c3b46c01c9cdc46be725c0 Mon Sep 17 00:00:00 2001 From: Vít Ondruch Date: Jun 18 2012 11:21:27 +0000 Subject: Fix for CVE-2012-2694. --- diff --git a/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch b/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch new file mode 100644 index 0000000..5407b0a --- /dev/null +++ b/atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch @@ -0,0 +1,54 @@ +From 01cf25055226c74394f08ca356011ef520c662f1 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Sun, 10 Jun 2012 22:44:54 -0500 +Subject: [PATCH] Array parameters should not contain nil values. + +--- + actionpack/lib/action_dispatch/http/request.rb | 6 ++++-- + .../dispatch/request/query_string_parsing_test.rb | 4 ++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb +index 985b730..04b4a21 100644 +--- a/actionpack/lib/action_dispatch/http/request.rb ++++ b/actionpack/lib/action_dispatch/http/request.rb +@@ -262,17 +262,19 @@ module ActionDispatch + + # Remove nils from the params hash + def deep_munge(hash) ++ keys = hash.keys.find_all { |k| hash[k] == [nil] } ++ keys.each { |k| hash[k] = nil } ++ + hash.each_value do |v| + case v + when Array + v.grep(Hash) { |x| deep_munge(x) } ++ v.compact! + when Hash + deep_munge(v) + end + end + +- keys = hash.keys.find_all { |k| hash[k] == [nil] } +- keys.each { |k| hash[k] = nil } + hash + end + +diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb +index c7ab700..8ea14df 100644 +--- a/actionpack/test/dispatch/request/query_string_parsing_test.rb ++++ b/actionpack/test/dispatch/request/query_string_parsing_test.rb +@@ -89,6 +89,10 @@ class QueryStringParsingTest < ActionController::IntegrationTest + assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]") + end + ++ def test_array_parses_without_nil ++ assert_parses({"action" => ['1']}, "action[]=1&action[]") ++ end ++ + test "query string with empty key" do + assert_parses( + { "action" => "create_customer", "full_name" => "David Heinemeier Hansson" }, +-- +1.7.5.4 + diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index 7d68604..c6dfdd5 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gemname} Epoch: 1 Version: 3.0.5 -Release: 8%{?dist} +Release: 9%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -68,7 +68,11 @@ Patch10: actionpack-CVE-2012-1099-select-options-XSS.patch # https://bugzilla.redhat.com/show_bug.cgi?id=827353 Patch11: actionpack-3.0.13-CVE-2012-2660-strip-nil-from-parameters-hash.patch -Requires: rubygems +# Fixes CVE-2012-2694 +# https://bugzilla.redhat.com/show_bug.cgi?id=831581 +Patch12: atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch + +Requires: ruby(rubygems) Requires: rubygem(activesupport) = %{version} Requires: rubygem(activemodel) = %{version} Requires: rubygem(builder) = 2.1.2 @@ -132,6 +136,7 @@ pushd .%{geminstdir} %patch9 -p2 %patch10 -p2 %patch11 -p2 +%patch12 -p2 # create missing symlink pushd test/fixtures/layout_tests/layouts/ @@ -203,6 +208,9 @@ rake test --trace %changelog +* Mon Jun 18 2012 Vít Ondruch - 1:3.0.5-9 +- Fix for CVE-2012-2694. + * Mon Jun 04 2012 Vít Ondruch - 1:3.0.5-8 - Fix for CVE-2012-2660.