diff --git a/fix-CVE-2024-28103.patch b/fix-CVE-2024-28103.patch new file mode 100644 index 0000000000000000000000000000000000000000..9855823092d5d9316c9a3f9e1105d2801e051e19 --- /dev/null +++ b/fix-CVE-2024-28103.patch @@ -0,0 +1,47 @@ +From 35858f1d9d57f6c4050a8d9ab754bd5d088b4523 Mon Sep 17 00:00:00 2001 +From: Zack Deveau +Date: Tue, 27 Feb 2024 10:03:50 -0500 +Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types + +[CVE-2024-28103] + +The application configurable Permissions-Policy is only +served on responses with an HTML related Content-Type. + +This change allows all Content-Types to serve the +configured Permissions-Policy as there are many non-HTML +Content-Types that would benefit from this header. +(examples include image/svg+xml and application/xml) + +--- + .../lib/action_dispatch/http/permissions_policy.rb | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb b/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb +index 5666ad0..6ec9087 100644 +--- a/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb ++++ b/actionpack-7.0.7/lib/action_dispatch/http/permissions_policy.rb +@@ -37,7 +37,6 @@ module ActionDispatch # :nodoc: + request = ActionDispatch::Request.new(env) + _, headers, _ = response = @app.call(env) + +- return response unless html_response?(headers) + return response if policy_present?(headers) + + if policy = request.permissions_policy +@@ -52,12 +51,6 @@ module ActionDispatch # :nodoc: + end + + private +- def html_response?(headers) +- if content_type = headers[CONTENT_TYPE] +- /html/.match?(content_type) +- end +- end +- + def policy_present?(headers) + headers[POLICY] + end +-- +2.27.0 + diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index 456b29305cd1824e90077892efa94d2f961a7949..02ae2f688c258ce9e12e16d8b068455fa8f5a0cb 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -4,7 +4,7 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 7.0.7 -Release: 2 +Release: 3 Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) License: MIT URL: http://rubyonrails.org @@ -25,6 +25,7 @@ Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch # https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc Patch1: CVE-2024-26143.patch Patch2: CVE-2024-26143-test.patch +Patch3: fix-CVE-2024-28103.patch # Let's keep Requires and BuildRequires sorted alphabeticaly BuildRequires: ruby(release) @@ -63,6 +64,7 @@ Documentation for %{name}. %prep %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 %patch1 -p2 +%patch3 -p2 pushd %{_builddir} %patch0 -p2 @@ -109,6 +111,9 @@ popd %doc %{gem_instdir}/README.rdoc %changelog +* Wed Jun 5 2024 xuchenchen - 1:7.0.7-3 +- fix CVE-2024-28103 + * Wed Feb 28 2024 yaoxin - 1:7.0.7-2 - Fix CVE-2024-26143 and remove unused file