[DRE-commits] [ruby-actionpack-3.2] 02/06: [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)

Ondrej Sury ondrej at moszumanska.debian.org
Wed Dec 4 11:12:33 UTC 2013 

This is an automated email from the git hooks/post-receive script.

ondrej pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.

commit bba0dee772103218c9f4624b92418f8d842db2cd
Author: Ondřej Surý <ondrej at sury.org>
Date:   Wed Dec 4 11:39:41 2013 +0100

    [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
---
 debian/patches/CVE-2013-6417.patch | 29 +++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 30 insertions(+)

diff --git a/debian/patches/CVE-2013-6417.patch b/debian/patches/CVE-2013-6417.patch
new file mode 100644
index 0000000..47edb6f
--- /dev/null
+++ b/debian/patches/CVE-2013-6417.patch
@@ -0,0 +1,29 @@
+From 75d452c06390118fc16c830439fccccd5a438285 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Sat, 30 Nov 2013 16:45:23 +1300
+Subject: [PATCH] Deep Munge the parameters for GET and POST
+
+The previous implementation of this functionality could be accidentally
+subverted by instantiating a raw Rack::Request before the first Rails::Request
+was constructed.
+
+Fixes CVE-2013-6417
+
+--- ruby-actionpack-3.2.orig/lib/action_dispatch/http/request.rb
++++ ruby-actionpack-3.2/lib/action_dispatch/http/request.rb
+@@ -222,13 +222,13 @@ module ActionDispatch
+ 
+     # Override Rack's GET method to support indifferent access
+     def GET
+-      @env["action_dispatch.request.query_parameters"] ||= (normalize_parameters(super) || {})
++      @env["action_dispatch.request.query_parameters"] ||= deep_munge(normalize_parameters(super) || {})
+     end
+     alias :query_parameters :GET
+ 
+     # Override Rack's POST method to support indifferent access
+     def POST
+-      @env["action_dispatch.request.request_parameters"] ||= (normalize_parameters(super) || {})
++      @env["action_dispatch.request.request_parameters"] ||= deep_munge(normalize_parameters(super) || {})
+     end
+     alias :request_parameters :POST
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 0d32017..94fcba8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ CVE-2012-3465.patch
 CVE-2013-0155.patch
 CVE-2013-1855.patch
 CVE-2013-1857.patch
+CVE-2013-6417.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git

More information about the Pkg-ruby-extras-commits mailing list