[DRE-commits] [ruby-rack] 02/02: Create cherry-picked patch for Security Fix (Closes: #789311)

Youhei SASAKI uwabami-guest at moszumanska.debian.org
Wed Jul 29 08:41:12 UTC 2015


This is an automated email from the git hooks/post-receive script.

uwabami-guest pushed a commit to branch master
in repository ruby-rack.

commit 73390d9d6409021d27e3a489bf50c248baba582e
Author: Youhei SASAKI <uwabami at gfd-dennou.org>
Date:   Wed Jul 29 17:35:03 2015 +0900

    Create cherry-picked patch for Security Fix (Closes: #789311)
    
    Signed-off-by: Youhei SASAKI <uwabami at gfd-dennou.org>
---
 debian/changelog                     |  2 +
 debian/patches/1-5-deep_params.patch | 92 ++++++++++++++++++++++++++++++++++++
 debian/patches/series                |  1 +
 3 files changed, 95 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 835a327..4121ba7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ ruby-rack (1.5.2-4) unstable; urgency=medium
 
   * Add patch: Fix upstream Issue 631
     - uninitialized constant Rack::Response::BodyProxy
+  * Create cherry-picked patch for Security Fix (Closes: #789311)
+    - CVE-2015-3225: 1-4-deep_params.patch
 
  -- Youhei SASAKI <uwabami at gfd-dennou.org>  Wed, 29 Jul 2015 17:32:29 +0900
 
diff --git a/debian/patches/1-5-deep_params.patch b/debian/patches/1-5-deep_params.patch
new file mode 100644
index 0000000..deec66e
--- /dev/null
+++ b/debian/patches/1-5-deep_params.patch
@@ -0,0 +1,92 @@
+From fa15479e232663b2b5b048155b8e74228ab75d7e Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson () gmail com>
+Date: Tue, 20 Jan 2015 14:30:13 -0800
+Subject: [PATCH] raise an exception if the parameters are too deep
+
+CVE-2015-3225
+
+Conflicts:
+	lib/rack/utils.rb
+	test/spec_utils.rb
+---
+ lib/rack/utils.rb  | 15 +++++++++++----
+ test/spec_utils.rb | 12 ++++++++++++
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 561e46e..a163c49 100644
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -52,12 +52,17 @@ module Rack
+ 
+     class << self
+       attr_accessor :key_space_limit
++      attr_accessor :param_depth_limit
+     end
+ 
+     # The default number of bytes to allow parameter keys to take up.
+     # This helps prevent a rogue client from flooding a Request.
+     self.key_space_limit = 65536
+ 
++    # Default depth at which the parameter parser will raise an exception for
++    # being too deep.  This helps prevent SystemStackErrors
++    self.param_depth_limit = 100
++
+     # Stolen from Mongrel, with some small modifications:
+     # Parses a query string by breaking it up at the '&'
+     # and ';' characters.  You can also use this to parse
+@@ -100,7 +105,9 @@ module Rack
+     end
+     module_function :parse_nested_query
+ 
+-    def normalize_params(params, name, v = nil)
++    def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit)
++      raise RangeError if depth <= 0
++
+       name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
+       k = $1 || ''
+       after = $' || ''
+@@ -118,14 +125,14 @@ module Rack
+         params[k] ||= []
+         raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
+         if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
+-          normalize_params(params[k].last, child_key, v)
++          normalize_params(params[k].last, child_key, v, depth - 1)
+         else
+-          params[k] << normalize_params(params.class.new, child_key, v)
++          params[k] << normalize_params(params.class.new, child_key, v, depth - 1)
+         end
+       else
+         params[k] ||= params.class.new
+         raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
+-        params[k] = normalize_params(params[k], after, v)
++        params[k] = normalize_params(params[k], after, v, depth - 1)
+       end
+ 
+       return params
+diff --git a/test/spec_utils.rb b/test/spec_utils.rb
+index 622b8ff..c1a2207 100644
+--- a/test/spec_utils.rb
++++ b/test/spec_utils.rb
+@@ -123,6 +123,18 @@ describe Rack::Utils do
+     Rack::Utils.parse_query(",foo=bar;,", ";,").should.equal "foo" => "bar"
+   end
+ 
++  should "raise an exception if the params are too deep" do
++    len = Rack::Utils.param_depth_limit
++
++    lambda {
++      Rack::Utils.parse_nested_query("foo#{"[a]" * len}=bar")
++    }.should.raise(RangeError)
++
++    lambda {
++      Rack::Utils.parse_nested_query("foo#{"[a]" * (len - 1)}=bar")
++    }.should.not.raise
++  end
++
+   should "parse nested query strings correctly" do
+     Rack::Utils.parse_nested_query("foo").
+       should.equal "foo" => nil
+-- 
+2.2.1
+
diff --git a/debian/patches/series b/debian/patches/series
index b82d20b..65335ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Fix-unreported-FTBFS.patch
+1-5-deep_params.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rack.git



More information about the Pkg-ruby-extras-commits mailing list