48 lines
1.4 KiB
Diff
48 lines
1.4 KiB
Diff
From 07d9600172a18b45791c89e95a642e13fc367545 Mon Sep 17 00:00:00 2001
|
|
From: Jean Boussier <jean.boussier@gmail.com>
|
|
Date: Fri, 11 Feb 2022 13:09:30 +0100
|
|
Subject: [PATCH] ActionDispatch::Executor don't fully trust `body#close`
|
|
|
|
Under certain circumstances, the middleware isn't informed that the
|
|
response body has been fully closed which result in request state not
|
|
being fully reset before the next request.
|
|
|
|
[CVE-2022-23633]
|
|
---
|
|
diff --git a/actionpack/test/dispatch/executor_test.rb b/actionpack/test/dispatch/executor_test.rb
|
|
index 5b8be39b6d..d0bf574009 100644
|
|
--- a/actionpack/test/dispatch/executor_test.rb
|
|
+++ b/actionpack/test/dispatch/executor_test.rb
|
|
@@ -119,6 +119,27 @@ def test_callbacks_execute_in_shared_context
|
|
assert_not defined?(@in_shared_context) # it's not in the test itself
|
|
end
|
|
|
|
+ def test_body_abandonned
|
|
+ total = 0
|
|
+ ran = 0
|
|
+ completed = 0
|
|
+
|
|
+ executor.to_run { total += 1; ran += 1 }
|
|
+ executor.to_complete { total += 1; completed += 1}
|
|
+
|
|
+ stack = middleware(proc { [200, {}, "response"] })
|
|
+
|
|
+ requests_count = 5
|
|
+
|
|
+ requests_count.times do
|
|
+ stack.call({})
|
|
+ end
|
|
+
|
|
+ assert_equal (requests_count * 2) - 1, total
|
|
+ assert_equal requests_count, ran
|
|
+ assert_equal requests_count - 1, completed
|
|
+ end
|
|
+
|
|
private
|
|
def call_and_return_body(&block)
|
|
app = middleware(block || proc { [200, {}, "response"] })
|
|
|
|
--
|
|
2.25.1
|
|
|