From 07d9600172a18b45791c89e95a642e13fc367545 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Fri, 11 Feb 2022 13:09:30 +0100
Subject: [PATCH] ActionDispatch::Executor don't fully trust `body#close`

Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request.

[CVE-2022-23633]
---
diff --git a/actionpack/test/dispatch/executor_test.rb b/actionpack/test/dispatch/executor_test.rb
index 5b8be39b6d..d0bf574009 100644
--- a/actionpack/test/dispatch/executor_test.rb
+++ b/actionpack/test/dispatch/executor_test.rb
@@ -119,6 +119,27 @@ def test_callbacks_execute_in_shared_context
     assert_not defined?(@in_shared_context) # it's not in the test itself
   end
 
+  def test_body_abandonned
+    total = 0
+    ran = 0
+    completed = 0
+
+    executor.to_run { total += 1; ran += 1 }
+    executor.to_complete { total += 1; completed += 1}
+
+    stack = middleware(proc { [200, {}, "response"] })
+
+    requests_count = 5
+
+    requests_count.times do
+      stack.call({})
+    end
+
+    assert_equal (requests_count * 2) - 1, total
+    assert_equal requests_count, ran
+    assert_equal requests_count - 1, completed
+  end
+
   private
     def call_and_return_body(&block)
       app = middleware(block || proc { [200, {}, "response"] })
 
-- 
2.25.1