packages/rubygem-activesupport
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!47 [sync] PR-46: Fix CVE-2023-28120

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-06-26 08:43:00 +00:00 committed by Gitee
commit 78763003cb
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 85 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
CVE-2023-28120-test.patch Normal file
View File

@ -0,0 +1,51 @@
From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
From: Akira Matsuda <ronnie@dio.jp>
Date: Thu, 5 Jan 2023 05:25:37 +0900
Subject: [PATCH] Implement SafeBuffer#bytesplice
---
.../core_ext/string/output_safety.rb | 4 +++
.../test/core_ext/string_ext_test.rb | 30 +++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
index a51f2f64cbe27..c436821c94a0b 100644
--- a/activesupport/test/core_ext/string_ext_test.rb
+++ b/activesupport/test/core_ext/string_ext_test.rb
@@ -987,6 +987,36 @@ def to_s
assert_predicate string, :html_safe?
end
+ if "".respond_to?(:bytesplice)
+ test "Bytesplicing safe into safe yields safe" do
+ string = "hello".html_safe
+ string.bytesplice(0, 0, "<b>".html_safe)
+
+ assert_equal "<b>hello", string
+ assert_predicate string, :html_safe?
+
+ string = "hello".html_safe
+ string.bytesplice(0..1, "<b>".html_safe)
+
+ assert_equal "<b>llo", string
+ assert_predicate string, :html_safe?
+ end
+
+ test "Bytesplicing unsafe into safe yields escaped safe" do
+ string = "hello".html_safe
+ string.bytesplice(1, 0, "<b>")
+
+ assert_equal "h&lt;b&gt;ello", string
+ assert_predicate string, :html_safe?
+
+ string = "hello".html_safe
+ string.bytesplice(1..2, "<b>")
+
+ assert_equal "h&lt;b&gt;lo", string
+ assert_predicate string, :html_safe?
+ end
+ end
+
test "emits normal string yaml" do
assert_equal "foo".to_yaml, "foo".html_safe.to_yaml(foo: 1)
end

25
CVE-2023-28120.patch Normal file
View File

@ -0,0 +1,25 @@
From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
From: Akira Matsuda <ronnie@dio.jp>
Date: Thu, 5 Jan 2023 05:25:37 +0900
Subject: [PATCH] Implement SafeBuffer#bytesplice
---
.../core_ext/string/output_safety.rb | 4 +++
.../test/core_ext/string_ext_test.rb | 30 +++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
index 8a06ccdd8e385..a627540a353db 100644
--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
+++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -216,6 +216,10 @@ def concat(value)
end
alias << concat
+ def bytesplice(*args, value)
+ super(*args, implicit_html_escape_interpolated_argument(value))
+ end
+
def insert(index, value)
super(index, html_escape_interpolated_argument(value))
end

10
rubygem-activesupport.spec
View File

@ -2,7 +2,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 6.1.4.1 Version: 6.1.4.1
Release: 7 Release: 8
Summary: A support libraries and Ruby core extensions extracted from the Rails framework Summary: A support libraries and Ruby core extensions extracted from the Rails framework
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -16,6 +16,9 @@ Patch3: CVE-2023-38037-test.patch
# https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb # https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb
# https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545 # https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
Patch3000: CVE-2022-23633.patch Patch3000: CVE-2022-23633.patch
# https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
Patch3001: CVE-2023-28120.patch
Patch3002: CVE-2023-28120-test.patch
Requires: rubygem(bigdecimal) rubygem(json) Requires: rubygem(bigdecimal) rubygem(json)
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli) BuildRequires: rubygem(concurrent-ruby) rubygem(connection_pool) rubygem(dalli)
@ -39,10 +42,12 @@ Documentation for %{name}.
pushd %{_builddir}/test pushd %{_builddir}/test
%patch0 -p1 %patch0 -p1
%patch3 -p3 %patch3 -p3
%patch3002 -p3
popd popd
%patch1 -p2 %patch1 -p2
%patch2 -p2 %patch2 -p2
%patch3000 -p1 %patch3000 -p1
%patch3001 -p2
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -90,6 +95,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Wed Jun 26 2024 wangkai <13474090681@163.com> - 1:6.1.4.1-8
- Fix CVE-2023-28120
* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-7 * Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:6.1.4.1-7
- Type:CVES - Type:CVES
- ID:CVE-2022-23633 - ID:CVE-2022-23633