[DRE-commits] [ruby-actionpack-3.2] 01/03: [CVE-2014-0130] Directory Traversal Vulnerability With Certain Route Configurations

Antonio Terceiro terceiro at moszumanska.debian.org
Wed May 14 17:58:04 UTC 2014 

This is an automated email from the git hooks/post-receive script.

terceiro pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.

commit bd2fcb5f29ea170213467fe593b5b1fd121f60ec
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Sat May 10 14:36:45 2014 -0300

    [CVE-2014-0130] Directory Traversal Vulnerability With Certain Route Configurations
---
 debian/changelog                   |  7 ++++
 debian/patches/CVE-2014-0130.patch | 81 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 89 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e580c53..dcd7921 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-actionpack-3.2 (3.2.6-6+deb7u2) wheezy-security; urgency=medium
+
+  * [CVE-2014-0130] Directory Traversal Vulnerability With Certain Route
+    Configurations (Closes: #000000)
+
+ -- Antonio Terceiro <terceiro at debian.org>  Sat, 10 May 2014 14:33:15 -0300
+
 ruby-actionpack-3.2 (3.2.6-6+deb7u1) wheezy-security; urgency=low
 
   * [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
diff --git a/debian/patches/CVE-2014-0130.patch b/debian/patches/CVE-2014-0130.patch
new file mode 100644
index 0000000..0cac238
--- /dev/null
+++ b/debian/patches/CVE-2014-0130.patch
@@ -0,0 +1,81 @@
+From 0f3b7d1a319383f743f9938e1eed00f0fba7a367 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca at gmail.com>
+Date: Thu, 17 Apr 2014 16:50:39 -0300
+Subject: [PATCH] Only accept actions without File::SEPARATOR in the name.
+
+This will avoid directory traversal in implicit render.
+
+Fixes: CVE-2014-0130
+---
+ actionpack/lib/abstract_controller/base.rb         | 28 +++++++++++++++++++---
+ .../new_base/render_implicit_action_test.rb        | 17 ++++++++++++-
+ 2 files changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/actionpack/lib/abstract_controller/base.rb b/actionpack/lib/abstract_controller/base.rb
+index fd6a46f..2541125 100644
+--- a/lib/abstract_controller/base.rb
++++ b/lib/abstract_controller/base.rb
+@@ -112,7 +112,7 @@ module AbstractController
+     def process(action, *args)
+       @_action_name = action_name = action.to_s
+ 
+-      unless action_name = method_for_action(action_name)
++      unless action_name = _find_action_name(action_name)
+         raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}"
+       end
+ 
+@@ -138,7 +138,7 @@ module AbstractController
+     # available action consider actions that are also available
+     # through other means, for example, implicit render ones.
+     def available_action?(action_name)
+-      method_for_action(action_name).present?
++      _find_action_name(action_name).present?
+     end
+ 
+     private
+@@ -182,6 +182,23 @@ module AbstractController
+       end
+ 
+       # Takes an action name and returns the name of the method that will
++      # handle the action.
++      #
++      # It checks if the action name is valid and returns false otherwise.
++      #
++      # See method_for_action for more information.
++      #
++      # ==== Parameters
++      # * <tt>action_name</tt> - An action name to find a method name for
++      #
++      # ==== Returns
++      # * <tt>string</tt> - The name of the method that handles the action
++      # * false           - No valid method name could be found. Raise ActionNotFound.
++      def _find_action_name(action_name)
++        _valid_action_name?(action_name) && method_for_action(action_name)
++      end
++
++      # Takes an action name and returns the name of the method that will
+       # handle the action. In normal cases, this method returns the same
+       # name as it receives. By default, if #method_for_action receives
+       # a name that is not an action, it will look for an #action_missing
+@@ -203,11 +220,16 @@ module AbstractController
+       #
+       # ==== Returns
+       # * <tt>string</tt> - The name of the method that handles the action
+-      # * <tt>nil</tt>    - No method name could be found. Raise ActionNotFound.
++      # * <tt>nil</tt>    - No method name could be found.
+       def method_for_action(action_name)
+         if action_method?(action_name) then action_name
+         elsif respond_to?(:action_missing, true) then "_handle_action_missing"
+         end
+       end
++
++      # Checks if the action name is valid and returns false otherwise.
++      def _valid_action_name?(action_name)
++        action_name.to_s !~ Regexp.new(File::SEPARATOR)
++      end
+   end
+ end
+-- 
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index d37b949..2d1a6e1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ CVE-2013-6414.patch
 CVE-2013-6415.patch
 CVE-2013-6417.patch
 CVE-2013-4389.patch
+CVE-2014-0130.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git

More information about the Pkg-ruby-extras-commits mailing list