From e2f2f5e2d245d009846282f439024fd69f4d9fd3 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 24 Jul 2023 11:37:22 +0800 Subject: [PATCH] Fix CVE-2023-28362 --- CVE-2023-28362-test.patch | 36 ++++++++++++++++++++ CVE-2023-28362.patch | 71 +++++++++++++++++++++++++++++++++++++++ rubygem-actionpack.spec | 12 ++++++- 3 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-28362-test.patch create mode 100644 CVE-2023-28362.patch diff --git a/CVE-2023-28362-test.patch b/CVE-2023-28362-test.patch new file mode 100644 index 0000000..05d8b2d --- /dev/null +++ b/CVE-2023-28362-test.patch @@ -0,0 +1,36 @@ + +diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb +index e218ef35e483b..c088d96413132 100644 +--- a/actionpack/test/controller/redirect_test.rb ++++ b/actionpack/test/controller/redirect_test.rb +@@ -153,6 +153,11 @@ def redirect_with_null_bytes + redirect_to "\000/lol\r\nwat" + end + ++ def unsafe_redirect_with_illegal_http_header_value_character ++ redirect_to "javascript:alert(document.domain)\b" ++ end ++ ++ + def rescue_errors(e) raise e end + + private +@@ -437,6 +442,18 @@ def test_redirect_to_with_block_and_accepted_options + assert_redirected_to "http://test.host/redirect/hello_world" + end + end ++ ++ def test_unsafe_redirect_with_illegal_http_header_value_character ++ error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do ++ get :unsafe_redirect_with_illegal_http_header_value_character ++ end ++ ++ msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \ ++ "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6" ++ ++ assert_equal msg, error.message ++ end ++ + end + + module ModuleTest diff --git a/CVE-2023-28362.patch b/CVE-2023-28362.patch new file mode 100644 index 0000000..6525774 --- /dev/null +++ b/CVE-2023-28362.patch @@ -0,0 +1,71 @@ +From 1c3f93d1e90a3475f9ae2377ead25ccf11f71441 Mon Sep 17 00:00:00 2001 +From: Zack Deveau +Date: Fri, 12 May 2023 13:04:22 -0400 +Subject: [PATCH] Added check for illegal HTTP header value in redirect_to + +The set of legal characters for an HTTP header value is described +in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6. + +This commit adds a check to redirect_to that ensures the +provided URL does not contain any of the illegal characters. + +Downstream consumers of the resulting Location response header +may remove the header if it does not comply with the RFC. +This can result in a cross site scripting (XSS) vector by +allowing for the redirection page to sit idle waiting +for user interaction with the provided malicious link. + +[CVE-2023-28362] + +Origin: https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441 + +--- + .../action_controller/metal/redirecting.rb | 21 ++++++++++++++++++- + actionpack/test/controller/redirect_test.rb | 17 +++++++++++++++ + 2 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb +index 11d462855d064..fdd3f9dc44149 100644 +--- a/actionpack/lib/action_controller/metal/redirecting.rb ++++ b/actionpack/lib/action_controller/metal/redirecting.rb +@@ -7,6 +7,10 @@ module Redirecting + include AbstractController::Logger + include ActionController::UrlFor + ++ ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze ++ ++ class UnsafeRedirectError < StandardError; end ++ + # Redirects the browser to the target specified in +options+. This parameter can be any one of: + # + # * Hash - The URL will be generated by calling url_for with the +options+. +@@ -60,7 +64,11 @@ def redirect_to(options = {}, response_options = {}) + raise AbstractController::DoubleRenderError if response_body + + self.status = _extract_redirect_to_status(options, response_options) +- self.location = _compute_redirect_to_location(request, options) ++ ++ redirect_to_location = _compute_redirect_to_location(request, options) ++ _ensure_url_is_http_header_safe(redirect_to_location) ++ ++ self.location = redirect_to_location + self.response_body = "You are being redirected." + end + +@@ -129,5 +137,16 @@ def _url_host_allowed?(url) + rescue ArgumentError, URI::Error + false + end ++ ++ def _ensure_url_is_http_header_safe(url) ++ # Attempt to comply with the set of valid token characters ++ # defined for an HTTP header value in ++ # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6 ++ if url.match(ILLEGAL_HEADER_VALUE_REGEX) ++ msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \ ++ "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6" ++ raise UnsafeRedirectError, msg ++ end ++ end + end + end diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index 9558990..c3bab05 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -4,13 +4,15 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 6.1.4.1 -Release: 2 +Release: 3 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source1: %{gem_name}-%{version}-tests.txz Source2: rails-%{version}-tools.txz +Patch0: CVE-2023-28362.patch +Patch1: CVE-2023-28362-test.patch # Let's keep Requires and BuildRequires sorted alphabeticaly BuildRequires: ruby(release) @@ -48,6 +50,11 @@ Documentation for %{name}. %prep %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 +%patch0 -p2 +pushd %{_builddir} +%patch1 -p2 +popd + %build gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec @@ -89,6 +96,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-3 +- Fix CVE-2023-28362 + * Thu Oct 20 2022 caodongxia - 1:6.1.4.1-2 - Fix compilation failed -- Gitee