From a647a236fc1e4b21425f94d2192615e6996674c7 Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Jan 07 2010 15:02:11 +0000 Subject: - Workaround patch to fix for rack 1.1.0 dependency (bug 552972) --- diff --git a/rubygem-actionpack-2.3.4-rack-compat.patch b/rubygem-actionpack-2.3.4-rack-compat.patch new file mode 100644 index 0000000..8583a21 --- /dev/null +++ b/rubygem-actionpack-2.3.4-rack-compat.patch @@ -0,0 +1,174 @@ +--- Rakefile.debug 2010-01-07 03:03:57.000000000 +0900 ++++ Rakefile 2010-01-07 03:05:36.000000000 +0900 +@@ -80,7 +80,7 @@ + s.requirements << 'none' + + s.add_dependency('activesupport', '= 2.3.4' + PKG_BUILD) +- s.add_dependency('rack', '~> 1.0.0') ++ s.add_dependency('rack', '>= 1.0.0') + + s.require_path = 'lib' + s.autorequire = 'action_controller' +--- lib/action_controller.rb.debug 2010-01-07 03:03:57.000000000 +0900 ++++ lib/action_controller.rb 2010-01-07 03:05:36.000000000 +0900 +@@ -31,7 +31,7 @@ + end + end + +-gem 'rack', '~> 1.0.0' ++gem 'rack', '>= 1.0.0' + require 'rack' + + module ActionController +--- lib/action_controller/integration.rb.debug 2010-01-07 03:03:57.000000000 +0900 ++++ lib/action_controller/integration.rb 2010-01-07 18:46:03.000000000 +0900 +@@ -320,9 +320,25 @@ + + @headers = Rack::Utils::HeaderHash.new(headers) + +- (@headers['Set-Cookie'] || "").split("\n").each do |cookie| +- name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2] +- @cookies[name] = value ++ # Umm.. it seems that with rack 1.1.0 @headers is an array ++ # instead of a string which rack 1.0.0 returned ++ # FIXME!! ++ ++ headers_cookie = @headers['Set-Cookie'] ++ if headers_cookie.is_a?(Array) ++ headers_cookie.each do |cookie_arr| ++ cookie_arr.split("\n").each do |cookie| ++ name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2] ++ @cookies[name] = value ++ end ++ end ++ ++ else ++ ++ (headers_cookie || "").split("\n").each do |cookie| ++ name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2] ++ @cookies[name] = value ++ end + end + + @body = "" +--- lib/action_controller/response.rb.debug 2010-01-07 03:03:57.000000000 +0900 ++++ lib/action_controller/response.rb 2010-01-07 19:40:44.000000000 +0900 +@@ -112,6 +112,12 @@ + end + + def etag? ++ ++ # FIXME!! ++ if Rack::VERSION[0] == 1 && Rack::VERSION[1] >= 1 ++ return headers.include?('ETag') && !headers['ETag'].nil? ++ end ++ + headers.include?('ETag') + end + +@@ -218,8 +224,15 @@ + # Don't set the Content-Length for block-based bodies as that would mean + # reading it all into memory. Not nice for, say, a 2GB streaming file. + def set_content_length! ++ ++ ## FIXME ++ + if status && status.to_s[0..2] == '204' + headers.delete('Content-Length') ++ ++ elsif Rack::VERSION[0] == 1 && Rack::VERSION[1] >= 1 && status && status.to_s[0..2] == '304' ++ headers.delete('Content-Length') ++ + elsif length = headers['Content-Length'] + headers['Content-Length'] = length.to_s + elsif !body.respond_to?(:call) && (!status || status.to_s[0..2] != '304') +--- test/controller/integration_test.rb.debug 2010-01-07 03:03:57.000000000 +0900 ++++ test/controller/integration_test.rb 2010-01-07 05:44:37.000000000 +0900 +@@ -306,7 +306,9 @@ + assert_equal "Gone", status_message + assert_response 410 + assert_response :gone +- assert_equal "cookie_1=; path=/\ncookie_3=chocolate; path=/", headers["Set-Cookie"] ++ # Okay if cookies coincides. ++ # With rake 1.1.0 headers["Set-Cookie"] is an array instread of a string ++ #assert_equal "cookie_1=; path=/\ncookie_3=chocolate; path=/", headers["Set-Cookie"] + assert_equal({"cookie_1"=>"", "cookie_2"=>"oatmeal", "cookie_3"=>"chocolate"}, cookies) + assert_equal "Gone", response.body + end +--- test/controller/rack_test.rb.debug 2010-01-07 03:03:57.000000000 +0900 ++++ test/controller/rack_test.rb 2010-01-07 05:40:49.000000000 +0900 +@@ -215,11 +215,16 @@ + + status, headers, body = @response.to_a + assert_equal 200, status ++ if headers['Set-Cookie'].is_a?(Array) ++ cookie_must = [] ++ else ++ cookie_must = "" ++ end + assert_equal({ + "Content-Type" => "text/html; charset=utf-8", + "Cache-Control" => "private, max-age=0, must-revalidate", + "ETag" => '"65a8e27d8879283831b664bd8b7f0ad4"', +- "Set-Cookie" => "", ++ "Set-Cookie" => cookie_must, + "Content-Length" => "13" + }, headers) + +@@ -234,11 +239,16 @@ + + status, headers, body = @response.to_a + assert_equal 200, status ++ if headers['Set-Cookie'].is_a?(Array) ++ cookie_must = [] ++ else ++ cookie_must = "" ++ end + assert_equal({ + "Content-Type" => "text/html; charset=utf-8", + "Cache-Control" => "private, max-age=0, must-revalidate", + "ETag" => '"ebb5e89e8a94e9dd22abf5d915d112b2"', +- "Set-Cookie" => "", ++ "Set-Cookie" => cookie_must, + "Content-Length" => "8" + }, headers) + end +@@ -251,10 +261,15 @@ + + status, headers, body = @response.to_a + assert_equal 200, status ++ if headers['Set-Cookie'].is_a?(Array) ++ cookie_must = [] ++ else ++ cookie_must = "" ++ end + assert_equal({ + "Content-Type" => "text/html; charset=utf-8", + "Cache-Control" => "no-cache", +- "Set-Cookie" => "" ++ "Set-Cookie" => cookie_must + }, headers) + + parts = [] +--- test/controller/session/cookie_store_test.rb.debug 2010-01-07 03:03:57.000000000 +0900 ++++ test/controller/session/cookie_store_test.rb 2010-01-07 05:47:37.000000000 +0900 +@@ -145,7 +145,8 @@ + with_test_route_set do + get '/no_session_access' + assert_response :success +- assert_equal "", headers['Set-Cookie'] ++ #assert_equal "", headers['Set-Cookie'] ++ assert headers['Set-Cookie'].empty? + end + end + +@@ -155,7 +156,8 @@ + "fef868465920f415f2c0652d6910d3af288a0367" + get '/no_session_access' + assert_response :success +- assert_equal "", headers['Set-Cookie'] ++ #assert_equal "", headers['Set-Cookie'] ++ assert headers['Set-Cookie'].empty? + end + end + diff --git a/rubygem-actionpack-2.3.x-CVE-2009-4214.patch b/rubygem-actionpack-2.3.x-CVE-2009-4214.patch new file mode 100644 index 0000000..d180be8 --- /dev/null +++ b/rubygem-actionpack-2.3.x-CVE-2009-4214.patch @@ -0,0 +1,39 @@ +From bfe032858077bb2946abe25e95e485ba6da86bd5 Mon Sep 17 00:00:00 2001 +From: Gabe da Silveira +Date: Mon, 16 Nov 2009 21:17:35 -0800 +Subject: [PATCH] Make sure strip_tags removes tags which start with a non-printable character + +Signed-off-by: Michael Koziarski +--- + .../vendor/html-scanner/html/node.rb | 2 +- + .../test/controller/html-scanner/sanitizer_test.rb | 1 + + 2 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb +index 6c03316..0cd05d8 100644 +--- a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb ++++ b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb +@@ -162,7 +162,7 @@ module HTML #:nodoc: + end + + closing = ( scanner.scan(/\//) ? :close : nil ) +- return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/) ++ return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/) + name.downcase! + + unless closing +diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb +index e85a5c7..1923544 100644 +--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb ++++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb +@@ -19,6 +19,7 @@ class SanitizerTest < ActionController::TestCase + assert_equal "This has a here.", sanitizer.sanitize("This has a here.") + assert_equal "This has a here.", sanitizer.sanitize("This has a ]]> here.") + assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed ]] here...") ++ assert_equal "non printable char is a tag", sanitizer.sanitize("<\x07a href='/hello'>non printable char is a tag") + [nil, '', ' '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) } + end + +-- +1.6.0.1 + diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index cef5f80..a12c62a 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -10,12 +10,17 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gemname} Epoch: 1 Version: 2.3.4 -Release: 2%{?dist} +Release: 4%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.gem Patch0: rubygem-actionpack-2.3.4-enable-test.patch +Patch1: rubygem-actionpack-2.3.x-CVE-2009-4214.patch +# +# Please someone fix the following Patch2!! (mtasaka) +# +Patch2: rubygem-actionpack-2.3.4-rack-compat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: rubygems Requires: rubygem(activesupport) = %{version} @@ -43,8 +48,14 @@ gem install --local --install-dir .%{gemdir} \ -V \ --force --rdoc %{SOURCE0} +# forcely modify gemspec for rack dependency +sed -i -e '/rack/s|~>|>=|' \ + ./%{gemdir}/specifications/*gemspec + pushd .%{geminstdir} %patch0 -p0 +%patch1 -p2 +%patch2 -p0 # create missing symlink pushd test/fixtures/layout_tests/layouts/ @@ -110,6 +121,12 @@ rake test --trace %changelog +* Fri Jan 8 2010 Mamoru Tasaka - 1:2.3.4-4 +- Workaround patch to fix for rack 1.1.0 dependency (bug 552972) + +* Thu Dec 10 2009 David Lutterkort - 1:2.3.4-3 +- Patch for CVE-2009-4214 (bz 542786) + * Wed Oct 7 2009 David Lutterkort - 1:2.3.4-2 - Bump Epoch to ensure upgrade path from F-11