packages/rubygem-rack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!54 Fix CVE-2024-39316

Browse Source 
From: @li_ning_jie 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-07-05 02:53:39 +00:00 committed by Gitee
commit ca20fa8e4a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 61 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2024-39316.patch Normal file
View File

@ -0,0 +1,53 @@
From 412c980450ca729ee37f90a2661f166a9665e058 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <dwi.siswanto98@gmail.com>
Date: Tue, 2 Jul 2024 11:29:28 +0700
Subject: [PATCH] Merge pull request from GHSA-cj83-2ww7-mvq7
* fix: ReDoS in the `parse_http_accept_header` method
Signed-off-by: Dwi Siswanto <git@dw1.io>
* fix: optimize HTTP Accept headers parsing
by:
* updated `parse_http_accept_header` method to
avoid unnecessary array allocation from `map`.
* used `strip!` to modify strings in place,
avoiding additional string allocations.
* plus, safe navigation for `parameters` to
handle nil cases.
this improves memory efficiency in header parsing.
Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
Signed-off-by: Dwi Siswanto <git@dw1.io>
---------
Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Jeremy Evans <jeremyevans@users.noreply.github.com>
---
lib/rack/request.rb | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/rack/request.rb b/lib/rack/request.rb
index b880b6ec..ccbd07da 100644
--- a/lib/rack/request.rb
+++ b/lib/rack/request.rb
@@ -642,8 +642,10 @@ module Rack
end
def parse_http_accept_header(header)
- header.to_s.split(/\s*,\s*/).map do |part|
- attribute, parameters = part.split(/\s*;\s*/, 2)
+ header.to_s.split(',').map do |part|
+ attribute, parameters = part.split(';', 2)
+ attribute.strip!
+ parameters&.strip!
quality = 1.0
if parameters and /\Aq=([\d.]+)/ =~ parameters
quality = $1.to_f
--
2.43.0.windows.1

10
rubygem-rack.spec
View File

@ -4,11 +4,14 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 2.2.3.1 Version: 2.2.3.1
Epoch: 1 Epoch: 1
Release: 2 Release: 3
Summary: A modular Ruby webserver interface Summary: A modular Ruby webserver interface
License: MIT and BSD License: MIT and BSD
URL: https://rack.github.io/ URL: https://rack.github.io/
Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem Source0: https://rubygems.org/downloads/%{gem_name}-%{version}.gem
Patch0: CVE-2024-39316.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(concurrent-ruby) BuildRequires: ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(concurrent-ruby)
BuildRequires: memcached rubygem(memcache-client) rubygem(minitest) BuildRequires: memcached rubygem(memcache-client) rubygem(minitest)
BuildRequires: rubygem(memcache-client) BuildRequires: rubygem(memcache-client)
@ -39,7 +42,7 @@ BuildArch: noarch
Documentation for %{name}. Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version} %autosetup -n %{gem_name}-%{version} -p1 -S git
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -97,6 +100,9 @@ popd
%doc %{gem_instdir}/contrib %doc %{gem_instdir}/contrib
%changelog %changelog
* Wed Jul 3 2024 liningjie <liningjie@xfusion.com> - 1:2.2.3.1-3
- Fix CVE-2024-39316
* Wed Apr 19 2023 sjxur <sjxur@isoftstone.com> - 1:2.2.3.1-2 * Wed Apr 19 2023 sjxur <sjxur@isoftstone.com> - 1:2.2.3.1-2
- fix issue(I6UCVJ) for rubygem-rack build problem in openEuler:22.03:LTS:Next - fix issue(I6UCVJ) for rubygem-rack build problem in openEuler:22.03:LTS:Next