www/ruby-actionpack60: add fix for CVE-2023-28362 Apply similar patch as Rails 6.1.7.4/7.0.5.1. Bump PKGREVISION.diff -r1.5 -r1.6 pkgsrc/www/ruby-actionpack60/Makefile
(taca)
@@ -1,17 +1,18 @@ | @@ -1,17 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.5 2023/01/19 14:27:25 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.6 2023/06/29 16:03:34 taca Exp $ | |
2 | 2 | |||
3 | DISTNAME= actionpack-${RAILS_VERSION} | 3 | DISTNAME= actionpack-${RAILS_VERSION} | |
4 | PKGNAME= ${RUBY_PKGPREFIX}-actionpack${RUBY_RAILS}-${RAILS_VERSION} | 4 | PKGNAME= ${RUBY_PKGPREFIX}-actionpack${RUBY_RAILS}-${RAILS_VERSION} | |
5 | PKGREVISION= 1 | |||
5 | CATEGORIES= www | 6 | CATEGORIES= www | |
6 | 7 | |||
7 | MAINTAINER= pkgsrc-users@NetBSD.org | 8 | MAINTAINER= pkgsrc-users@NetBSD.org | |
8 | HOMEPAGE= http://www.rubyonrails.org/ | 9 | HOMEPAGE= http://www.rubyonrails.org/ | |
9 | COMMENT= Toolkit for building modeling frameworks (part of Rails 6.0) | 10 | COMMENT= Toolkit for building modeling frameworks (part of Rails 6.0) | |
10 | LICENSE= mit | 11 | LICENSE= mit | |
11 | 12 | |||
12 | DEPENDS+= ${RUBY_ACTIONVIEW_DEPENDS} | 13 | DEPENDS+= ${RUBY_ACTIONVIEW_DEPENDS} | |
13 | DEPENDS+= ${RUBY_PKGPREFIX}-rack2>=2.0:../../www/ruby-rack2 | 14 | DEPENDS+= ${RUBY_PKGPREFIX}-rack2>=2.0:../../www/ruby-rack2 | |
14 | DEPENDS+= ${RUBY_PKGPREFIX}-rack-test>=0.6.3:../../www/ruby-rack-test | 15 | DEPENDS+= ${RUBY_PKGPREFIX}-rack-test>=0.6.3:../../www/ruby-rack-test | |
15 | # ruby-actionview already depends them. | 16 | # ruby-actionview already depends them. | |
16 | #DEPENDS+= ${RUBY_PKGPREFIX}-rails-dom-testing>=2.0<3:../../textproc/ruby-rails-dom-testing | 17 | #DEPENDS+= ${RUBY_PKGPREFIX}-rails-dom-testing>=2.0<3:../../textproc/ruby-rails-dom-testing | |
17 | #DEPENDS+= ${RUBY_PKGPREFIX}-rails-html-sanitizer>=1.0.2<2:../../www/ruby-rails-html-sanitizer | 18 | #DEPENDS+= ${RUBY_PKGPREFIX}-rails-html-sanitizer>=1.0.2<2:../../www/ruby-rails-html-sanitizer |
@@ -1,5 +1,6 @@ | @@ -1,5 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.21 2023/01/19 14:27:25 taca Exp $ | 1 | $NetBSD: distinfo,v 1.22 2023/06/29 16:03:34 taca Exp $ | |
2 | 2 | |||
3 | BLAKE2s (actionpack-6.0.6.1.gem) = 00f6f3cfdcb407dc89f20fb9cd83e74bb8a6cfed3b4a091435cea31a038a4905 | 3 | BLAKE2s (actionpack-6.0.6.1.gem) = 00f6f3cfdcb407dc89f20fb9cd83e74bb8a6cfed3b4a091435cea31a038a4905 | |
4 | SHA512 (actionpack-6.0.6.1.gem) = 56bfa53909b22fd94d9065503ab250a7a6fa2535037d1f8e1a5065d947ce5e140530b52f2948163d6a43f2b31c01f65ad29cf0f1d007c0941eef6d7fdc6e1cf2 | 4 | SHA512 (actionpack-6.0.6.1.gem) = 56bfa53909b22fd94d9065503ab250a7a6fa2535037d1f8e1a5065d947ce5e140530b52f2948163d6a43f2b31c01f65ad29cf0f1d007c0941eef6d7fdc6e1cf2 | |
5 | Size (actionpack-6.0.6.1.gem) = 218624 bytes | 5 | Size (actionpack-6.0.6.1.gem) = 218624 bytes | |
6 | SHA1 (patch-lib_action__controller_metal_redirecting.rb) = b30440c1ed272d9cddf7a997240224f75f800577 |
$NetBSD: patch-lib_action__controller_metal_redirecting.rb,v 1.1 2023/06/29 16:03:34 taca Exp $
Fix for CVE-2023-28362.
--- lib/action_controller/metal/redirecting.rb.orig 2023-06-27 15:31:15.462755078 +0000
+++ lib/action_controller/metal/redirecting.rb
@@ -7,6 +7,10 @@ module ActionController
include AbstractController::Logger
include ActionController::UrlFor
+ ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
+ class UnsafeRedirectError < StandardError; end
+
# Redirects the browser to the target specified in +options+. This parameter can be any one of:
#
# * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
@@ -60,7 +64,11 @@ module ActionController
raise AbstractController::DoubleRenderError if response_body
self.status = _extract_redirect_to_status(options, response_options)
- self.location = _compute_redirect_to_location(request, options)
+
+ redirect_to_location = _compute_redirect_to_location(request, options)
+ _ensure_url_is_http_header_safe(redirect_to_location)
+
+ self.location = redirect_to_location
self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
end