[DRE-commits] [SCM] ruby-actionpack-3.2.git branch, master, updated. debian/3.2.6-4-5-g92ff314
Antonio Terceiro
terceiro at debian.org
Wed Jan 9 21:38:40 UTC 2013
The following commit has been merged in the master branch:
commit 14869420159c135d6bd126347033fd5908fc838f
Author: Antonio Terceiro <terceiro at debian.org>
Date: Wed Jan 9 18:27:27 2013 -0300
Fix CVE-2013-0155
diff --git a/debian/changelog b/debian/changelog
index 1d1defa..af573d7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-actionpack-3.2 (3.2.6-5) unstable; urgency=high
+
+ * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
+ [CVE-2013-0155] (Closes: #697802)
+
+ -- Antonio Terceiro <terceiro at debian.org> Wed, 09 Jan 2013 18:25:45 -0300
+
ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high
* Add patches for security problems (Closes: #684454):
diff --git a/debian/patches/CVE-2013-0155.patch b/debian/patches/CVE-2013-0155.patch
new file mode 100644
index 0000000..ebc6501
--- /dev/null
+++ b/debian/patches/CVE-2013-0155.patch
@@ -0,0 +1,57 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+--- a/lib/action_dispatch/http/request.rb
++++ b/lib/action_dispatch/http/request.rb
+@@ -247,18 +247,14 @@ module ActionDispatch
+ LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
+ end
+
+- protected
+-
+ # Remove nils from the params hash
+ def deep_munge(hash)
+- keys = hash.keys.find_all { |k| hash[k] == [nil] }
+- keys.each { |k| hash[k] = nil }
+-
+- hash.each_value do |v|
++ hash.each do |k, v|
+ case v
+ when Array
+ v.grep(Hash) { |x| deep_munge(x) }
+ v.compact!
++ hash[k] = nil if v.empty?
+ when Hash
+ deep_munge(v)
+ end
+@@ -267,6 +263,8 @@ module ActionDispatch
+ hash
+ end
+
++ protected
++
+ def parse_query(qs)
+ deep_munge(super)
+ end
+--- a/lib/action_dispatch/middleware/params_parser.rb
++++ b/lib/action_dispatch/middleware/params_parser.rb
+@@ -38,13 +38,13 @@ module ActionDispatch
+ when Proc
+ strategy.call(request.raw_post)
+ when :xml_simple, :xml_node
+- data = Hash.from_xml(request.body.read) || {}
++ data = request.deep_munge(Hash.from_xml(request.body.read) || {})
+ request.body.rewind if request.body.respond_to?(:rewind)
+ data.with_indifferent_access
+ when :yaml
+ YAML.load(request.raw_post)
+ when :json
+- data = ActiveSupport::JSON.decode(request.body)
++ data = request.deep_munge ActiveSupport::JSON.decode(request.body)
+ request.body.rewind if request.body.respond_to?(:rewind)
+ data = {:_json => data} unless data.is_a?(Hash)
+ data.with_indifferent_access
diff --git a/debian/patches/series b/debian/patches/series
index 78fded1..e867028 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
CVE-2012-3424.patch
CVE-2012-3463.patch
CVE-2012-3465.patch
+CVE-2013-0155.patch
--
ruby-actionpack-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list