From 2f4b54fb5ad988a30122a002898cadacdb958b08 Mon Sep 17 00:00:00 2001
From: programmer12 <964969108@qq.com>
Date: Tue, 29 Jun 2021 13:58:44 +0800
Subject: [PATCH] fix CVE-2021-22904

---
 CVE-2021-22904.patch    | 30 ++++++++++++++++++++++++++++++
 rubygem-actionpack.spec | 21 ++++++++++++++++++---
 2 files changed, 48 insertions(+), 3 deletions(-)
 create mode 100644 CVE-2021-22904.patch

diff --git a/CVE-2021-22904.patch b/CVE-2021-22904.patch
new file mode 100644
index 0000000..bde17ee
--- /dev/null
+++ b/CVE-2021-22904.patch
@@ -0,0 +1,30 @@
+From 9859372bf52ef4fd5df73e1bdfb40982058c9c81 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 4 May 2021 15:49:21 -0700
+Subject: [PATCH] Prevent slow regex when parsing host authorization
+header
+
+The old regex could take too long when parsing an authorization header,
+and this could potentially cause a DoS vulnerability
+
+[CVE-2021-22904]
+---
+ .../lib/action_controller/metal/http_authentication.rb          | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+index 01676f3..d2e6674 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+@@ -406,7 +406,7 @@ module ActionController
+     module Token
+       TOKEN_KEY = "token="
+       TOKEN_REGEX = /^(Token|Bearer)\s+/
+-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
++      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
+       extend self
+ 
+       module ControllerMethods
+-- 
+2.23.0
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 445fd78..c6c6643 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -1,14 +1,17 @@
 %global gem_name actionpack
 %{?_with_bootstrap: %global bootstrap 1}
+%global bootstrap 1
 Name:                rubygem-%{gem_name}
 Epoch:               1
-Version:             5.2.3
-Release:             1
+Version:             5.2.4.4
+Release:             3
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
-Source1:             https://github.com/rails/rails/archive/v5.2.3.tar.gz
+Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
+Patch0:              CVE-2021-22885.patch
+Patch1:              CVE-2021-22904.patch
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(activemodel) = %{version} rubygem(activerecord) = %{version}
@@ -32,6 +35,9 @@ Documentation for %{name}.
 %prep
 %setup -q -c -T
 %gem_install -n %{SOURCE0}
+%patch0 -p1
+%patch1 -p1
+
 
 %build
 
@@ -62,5 +68,14 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Jun 28 2021 liwu<liwu13@huawei.com> - 5.2.4.4-3
+* Fix CVE-2021-22904
+
+* Fri Jun 11 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-2
+- Fix CVE-2021-22885
+
+* Mon Feb  8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
+- Upgrade to 5.2.4.4
+
 * Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1
 - Package init
-- 
Gitee