Fix CVE-2024-41128 and CVE-2024-47887

(cherry picked from commit 948704b3fc297a7de8e7652d00621b8fe9a2afd7)

backport-CVE-2024-41128.patch

@@ -0,0 +1,38 @@
+From fb493bebae1a9b83e494fe7edbf01f6167d606fd Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:41:33 -0700
+Subject: [PATCH] Avoid backtracking in filtered_query_string
+
+Thanks scyoon for the patch
+
+CVE-2024-41128
+---
+ .../lib/action_dispatch/http/filter_parameters.rb   | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb
+index 7ad1ba3e0eb0e..b02f0d6f85341 100644
+--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb
++++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb
+@@ -73,12 +73,17 @@ def parameter_filter_for(filters) # :doc:
+         ActiveSupport::ParameterFilter.new(filters)
+       end
+ 
+-      KV_RE   = "[^&;=]+"
+-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
+       def filtered_query_string # :doc:
+-        query_string.gsub(PAIR_RE) do |_|
+-          parameter_filter.filter($1 => $2).first.join("=")
++        parts = query_string.split(/([&;])/)
++        filtered_parts = parts.map do |part|
++          if part.include?("=")
++            key, value = part.split("=", 2)
++            parameter_filter.filter(key => value).first.join("=")
++          else
++            part
++          end
+         end
++        filtered_parts.join("")
+       end
+     end
+   end

backport-CVE-2024-47887.patch

@@ -0,0 +1,26 @@
+From 8e057db25bff1dc7a98e9ae72e0083825b9ac545 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:32:00 -0700
+Subject: [PATCH] Avoid backtracking in Token#raw_params
+
+Thanks to scyoon for the patch
+
+[CVE-2024-47887]
+---
+ actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
+index 2ad4df5b53ad8..ef0886bd4af9b 100644
+--- a/actionpack/lib/action_controller/metal/http_authentication.rb
++++ b/actionpack/lib/action_controller/metal/http_authentication.rb
+@@ -483,7 +483,8 @@ def rewrite_param_values(array_params)
+       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
+       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
+       def raw_params(auth)
+-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
++        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
++        _raw_params.reject!(&:empty?)
+ 
+         if !_raw_params.first&.start_with?(TOKEN_KEY)
+           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

rubygem-actionpack.spec

@@ -4,7 +4,7 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	6.1.4.1
-Release: 	6
+Release: 	7
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@@ -24,6 +24,8 @@ Patch6:         CVE-2024-28103-test.patch
 # https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
 Patch3000:      CVE-2022-23633.patch
 Patch3001:      CVE-2022-23633-test.patch
+Patch3002:      backport-CVE-2024-41128.patch
+Patch3003:      backport-CVE-2024-47887.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@@ -66,6 +68,8 @@ Documentation for %{name}.
 %patch4 -p2
 %patch5 -p2
 %patch3000 -p2
+%patch3002 -p2
+%patch3003 -p2
 pushd %{_builddir}
 %patch1 -p2
 %patch3 -p2
@@ -114,6 +118,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:6.1.4.1-7
+- Fix CVE-2024-41128 and CVE-2024-47887
+
 * Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-6
 - Type:CVES
 - ID:CVE-2022-23633