Pullup ticket #2814 - requested by minskim ruby-actionpack: security patch Revisions pulled up: - www/ruby-actionpack/Makefile 1.16 - www/ruby-actionpack/distinfo 1.17 - www/ruby-actionpack/patches/patch-aa 1.3 --- Module Name: pkgsrc Committed By: minskim Date: Thu Jul 16 11:00:25 UTC 2009 Modified Files: pkgsrc/www/ruby-actionpack: Makefile distinfo Added Files: pkgsrc/www/ruby-actionpack/patches: patch-aa Log Message: Security fix for: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422 >From rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489.diff -r1.15 -r1.15.2.1 pkgsrc/www/ruby-actionpack/Makefile
(tron)
| @@ -1,14 +1,19 @@ | @@ -1,14 +1,19 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.15 2009/04/07 17:13:27 minskim Exp $ | 1 | # $NetBSD: Makefile,v 1.15.2.1 2009/07/16 21:13:53 tron Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= actionpack-2.3.2 | 3 | DISTNAME= actionpack-2.3.2 | |
| 4 | PKGNAME= ${RUBY_PKGPREFIX}-${DISTNAME} | 4 | PKGNAME= ${RUBY_PKGPREFIX}-${DISTNAME} | |
| 5 | PKGREVISION= 1 | |||
| 5 | CATEGORIES= www | 6 | CATEGORIES= www | |
| 6 | 7 | |||
| 7 | MAINTAINER= minskim@NetBSD.org | 8 | MAINTAINER= minskim@NetBSD.org | |
| 8 | HOMEPAGE= http://rubyforge.org/projects/actionpack/ | 9 | HOMEPAGE= http://rubyforge.org/projects/actionpack/ | |
| 9 | COMMENT= Two-step approach to web response generation | 10 | COMMENT= Two-step approach to web response generation | |
| 10 | 11 | |||
| 11 | DEPENDS+= ${RUBY_PKGPREFIX}-activesupport>=2.3.2:../../devel/ruby-activesupport | 12 | DEPENDS+= ${RUBY_PKGPREFIX}-activesupport>=2.3.2:../../devel/ruby-activesupport | |
| 12 | 13 | |||
| 13 | .include "../../misc/rubygems/rubygem.mk" | 14 | .include "../../misc/rubygems/rubygem.mk" | |
| 15 | ||||
| 16 | pre-configure: | |||
| 17 | ${RM} ${WRKSRC}/lib/action_controller/http_authentication.rb.orig | |||
| 18 | ||||
| 14 | .include "../../mk/bsd.pkg.mk" | 19 | .include "../../mk/bsd.pkg.mk" |
| @@ -1,6 +1,7 @@ | @@ -1,6 +1,7 @@ | |||
| 1 | $NetBSD: distinfo,v 1.16 2009/04/07 17:13:27 minskim Exp $ | 1 | $NetBSD: distinfo,v 1.16.2.1 2009/07/16 21:13:53 tron Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (actionpack-2.3.2.gem) = 31e9815ed5d901b6b7f618bb7140f16d1a79ebfc | 3 | SHA1 (actionpack-2.3.2.gem) = 31e9815ed5d901b6b7f618bb7140f16d1a79ebfc | |
| 4 | RMD160 (actionpack-2.3.2.gem) = 800602f5c03b08ca8ca292cc7f82ef009c0e2160 | 4 | RMD160 (actionpack-2.3.2.gem) = 800602f5c03b08ca8ca292cc7f82ef009c0e2160 | |
| 5 | Size (actionpack-2.3.2.gem) = 767488 bytes | 5 | Size (actionpack-2.3.2.gem) = 767488 bytes | |
| 6 | SHA1 (patch-aa) = 85d3a5a5766a6ac220e230436f53f6cd4078a259 | |||
| 6 | SHA1 (patch-ab) = bfba841b0af9d503a71745cc8d992e9d09d94191 | 7 | SHA1 (patch-ab) = bfba841b0af9d503a71745cc8d992e9d09d94191 |
$NetBSD: patch-aa,v 1.3.2.2 2009/07/16 21:13:53 tron Exp $
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489
--- lib/action_controller/http_authentication.rb.orig 2009-07-16 03:45:19.000000000 -0700
+++ lib/action_controller/http_authentication.rb
@@ -183,7 +183,7 @@ module ActionController
request.env['REDIRECT_X_HTTP_AUTHORIZATION']
end
- # Raises error unless the request credentials response value matches the expected value.
+ # Returns false unless the request credentials response value matches the expected value.
# First try the password as a ha1 digest password. If this fails, then try it as a plain
# text password.
def validate_digest_response(request, realm, &password_procedure)
@@ -192,6 +192,7 @@ module ActionController
if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
password = password_procedure.call(credentials[:username])
+ return false unless password
[true, false].any? do |password_is_ha1|
expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1)