Thu Jun 29 16:03:34 2023 UTC ()

www/ruby-actionpack60: add fix for CVE-2023-28362

Apply similar patch as Rails 6.1.7.4/7.0.5.1.

Bump PKGREVISION.


(taca)

diff -r1.5 -r1.6 pkgsrc/www/ruby-actionpack60/Makefile
diff -r1.21 -r1.22 pkgsrc/www/ruby-actionpack60/distinfo
diff -r0 -r1.1 pkgsrc/www/ruby-actionpack60/patches/patch-lib_action__controller_metal_redirecting.rb

--- pkgsrc/www/ruby-actionpack60/Makefile 2023/01/19 14:27:25 1.5
+++ pkgsrc/www/ruby-actionpack60/Makefile 2023/06/29 16:03:34 1.6

 @@ -1,17 +1,18 @@
-# $NetBSD: Makefile,v 1.5 2023/01/19 14:27:25 taca Exp $
+# $NetBSD: Makefile,v 1.6 2023/06/29 16:03:34 taca Exp $
 DISTNAME=	actionpack-${RAILS_VERSION}
 PKGNAME=	${RUBY_PKGPREFIX}-actionpack${RUBY_RAILS}-${RAILS_VERSION}
 PKGREVISION=	1
 CATEGORIES=	www
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.rubyonrails.org/
 COMMENT=	Toolkit for building modeling frameworks (part of Rails 6.0)
 LICENSE=	mit
 DEPENDS+=	${RUBY_ACTIONVIEW_DEPENDS}
 DEPENDS+=	${RUBY_PKGPREFIX}-rack2>=2.0:../../www/ruby-rack2
 DEPENDS+=	${RUBY_PKGPREFIX}-rack-test>=0.6.3:../../www/ruby-rack-test
 # ruby-actionview already depends them.
 #DEPENDS+=	${RUBY_PKGPREFIX}-rails-dom-testing>=2.0<3:../../textproc/ruby-rails-dom-testing
 #DEPENDS+=	${RUBY_PKGPREFIX}-rails-html-sanitizer>=1.0.2<2:../../www/ruby-rails-html-sanitizer

--- pkgsrc/www/ruby-actionpack60/distinfo 2023/01/19 14:27:25 1.21
+++ pkgsrc/www/ruby-actionpack60/distinfo 2023/06/29 16:03:34 1.22

 @@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.21 2023/01/19 14:27:25 taca Exp $
+$NetBSD: distinfo,v 1.22 2023/06/29 16:03:34 taca Exp $
 BLAKE2s (actionpack-6.0.6.1.gem) = 00f6f3cfdcb407dc89f20fb9cd83e74bb8a6cfed3b4a091435cea31a038a4905
 SHA512 (actionpack-6.0.6.1.gem) = 56bfa53909b22fd94d9065503ab250a7a6fa2535037d1f8e1a5065d947ce5e140530b52f2948163d6a43f2b31c01f65ad29cf0f1d007c0941eef6d7fdc6e1cf2
 Size (actionpack-6.0.6.1.gem) = 218624 bytes
 SHA1 (patch-lib_action__controller_metal_redirecting.rb) = b30440c1ed272d9cddf7a997240224f75f800577

$NetBSD: patch-lib_action__controller_metal_redirecting.rb,v 1.1 2023/06/29 16:03:34 taca Exp $

Fix for CVE-2023-28362.

--- lib/action_controller/metal/redirecting.rb.orig	2023-06-27 15:31:15.462755078 +0000
+++ lib/action_controller/metal/redirecting.rb
@@ -7,6 +7,10 @@ module ActionController
     include AbstractController::Logger
     include ActionController::UrlFor
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
+    class UnsafeRedirectError < StandardError; end
+
     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
@@ -60,7 +64,11 @@ module ActionController
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _compute_redirect_to_location(request, options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = redirect_to_location
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end