[DRE-commits] [SCM] ruby-actionpack-3.2.git branch, master, updated. debian/3.2.6-4-5-g92ff314

Antonio Terceiro terceiro at debian.org
Wed Jan 9 21:38:40 UTC 2013


The following commit has been merged in the master branch:
commit 14869420159c135d6bd126347033fd5908fc838f
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Wed Jan 9 18:27:27 2013 -0300

    Fix CVE-2013-0155

diff --git a/debian/changelog b/debian/changelog
index 1d1defa..af573d7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-actionpack-3.2 (3.2.6-5) unstable; urgency=high
+
+  * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
+    [CVE-2013-0155] (Closes: #697802)
+
+ -- Antonio Terceiro <terceiro at debian.org>  Wed, 09 Jan 2013 18:25:45 -0300
+
 ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high
 
   * Add patches for security problems (Closes: #684454):
diff --git a/debian/patches/CVE-2013-0155.patch b/debian/patches/CVE-2013-0155.patch
new file mode 100644
index 0000000..ebc6501
--- /dev/null
+++ b/debian/patches/CVE-2013-0155.patch
@@ -0,0 +1,57 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+--- a/lib/action_dispatch/http/request.rb
++++ b/lib/action_dispatch/http/request.rb
+@@ -247,18 +247,14 @@ module ActionDispatch
+       LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
+     end
+ 
+-    protected
+-
+     # Remove nils from the params hash
+     def deep_munge(hash)
+-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+-      keys.each { |k| hash[k] = nil }
+-
+-      hash.each_value do |v|
++      hash.each do |k, v|
+         case v
+         when Array
+           v.grep(Hash) { |x| deep_munge(x) }
+           v.compact!
++          hash[k] = nil if v.empty?
+         when Hash
+           deep_munge(v)
+         end
+@@ -267,6 +263,8 @@ module ActionDispatch
+       hash
+     end
+ 
++    protected
++
+     def parse_query(qs)
+       deep_munge(super)
+     end
+--- a/lib/action_dispatch/middleware/params_parser.rb
++++ b/lib/action_dispatch/middleware/params_parser.rb
+@@ -38,13 +38,13 @@ module ActionDispatch
+         when Proc
+           strategy.call(request.raw_post)
+         when :xml_simple, :xml_node
+-          data = Hash.from_xml(request.body.read) || {}
++          data = request.deep_munge(Hash.from_xml(request.body.read) || {})
+           request.body.rewind if request.body.respond_to?(:rewind)
+           data.with_indifferent_access
+         when :yaml
+           YAML.load(request.raw_post)
+         when :json
+-          data = ActiveSupport::JSON.decode(request.body)
++          data = request.deep_munge ActiveSupport::JSON.decode(request.body)
+           request.body.rewind if request.body.respond_to?(:rewind)
+           data = {:_json => data} unless data.is_a?(Hash)
+           data.with_indifferent_access
diff --git a/debian/patches/series b/debian/patches/series
index 78fded1..e867028 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 CVE-2012-3424.patch
 CVE-2012-3463.patch
 CVE-2012-3465.patch
+CVE-2013-0155.patch

-- 
ruby-actionpack-3.2.git



More information about the Pkg-ruby-extras-commits mailing list