[DRE-commits] [ruby-rack] 01/02: Fix CVE-2015-3225 (Closes: #789311)
Youhei SASAKI
uwabami-guest at moszumanska.debian.org
Wed Jul 29 08:41:12 UTC 2015
This is an automated email from the git hooks/post-receive script.
uwabami-guest pushed a commit to branch master-1.4.1-wheezy
in repository ruby-rack.
commit 7b9deb51dcc843f6aeda40c5a7dbe570766d4069
Author: Youhei SASAKI <uwabami at gfd-dennou.org>
Date: Wed Jul 29 16:36:11 2015 +0900
Fix CVE-2015-3225 (Closes: #789311)
Signed-off-by: Youhei SASAKI <uwabami at gfd-dennou.org>
---
debian/patches/1-4-deep_params.patch | 85 ++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 86 insertions(+)
diff --git a/debian/patches/1-4-deep_params.patch b/debian/patches/1-4-deep_params.patch
new file mode 100644
index 0000000..77c9e82
--- /dev/null
+++ b/debian/patches/1-4-deep_params.patch
@@ -0,0 +1,85 @@
+From fa15479e232663b2b5b048155b8e74228ab75d7e Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson () gmail com>
+Date: Tue, 20 Jan 2015 14:30:13 -0800
+Subject: [PATCH] raise an exception if the parameters are too deep
+
+CVE-2015-3225
+
+Conflicts:
+ lib/rack/utils.rb
+ test/spec_utils.rb
+---
+ lib/rack/utils.rb | 15 +++++++++++----
+ test/spec_utils.rb | 12 ++++++++++++
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+--- a/lib/rack/utils.rb
++++ b/lib/rack/utils.rb
+@@ -49,12 +49,17 @@
+
+ class << self
+ attr_accessor :key_space_limit
++ attr_accessor :param_depth_limit
+ end
+
+ # The default number of bytes to allow parameter keys to take up.
+ # This helps prevent a rogue client from flooding a Request.
+ self.key_space_limit = 65536
+
++ # Default depth at which the parameter parser will raise an exception for
++ # being too deep. This helps prevent SystemStackErrors
++ self.param_depth_limit = 100
++
+ # Stolen from Mongrel, with some small modifications:
+ # Parses a query string by breaking it up at the '&'
+ # and ';' characters. You can also use this to parse
+@@ -94,7 +99,9 @@
+ end
+ module_function :parse_nested_query
+
+- def normalize_params(params, name, v = nil)
++ def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit)
++ raise RangeError if depth <= 0
++
+ name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
+ k = $1 || ''
+ after = $' || ''
+@@ -112,14 +119,14 @@
+ params[k] ||= []
+ raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
+ if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
+- normalize_params(params[k].last, child_key, v)
++ normalize_params(params[k].last, child_key, v, depth - 1)
+ else
+- params[k] << normalize_params(params.class.new, child_key, v)
++ params[k] << normalize_params(params.class.new, child_key, v, depth - 1)
+ end
+ else
+ params[k] ||= params.class.new
+ raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k])
+- params[k] = normalize_params(params[k], after, v)
++ params[k] = normalize_params(params[k], after, v, depth - 1)
+ end
+
+ return params
+--- a/test/spec_utils.rb
++++ b/test/spec_utils.rb
+@@ -114,6 +114,18 @@
+ Rack::Utils.parse_query("foo%3Dbaz=bar").should.equal "foo=baz" => "bar"
+ end
+
++ should "raise an exception if the params are too deep" do
++ len = Rack::Utils.param_depth_limit
++
++ lambda {
++ Rack::Utils.parse_nested_query("foo#{"[a]" * len}=bar")
++ }.should.raise(RangeError)
++
++ lambda {
++ Rack::Utils.parse_nested_query("foo#{"[a]" * (len - 1)}=bar")
++ }.should.not.raise
++ end
++
+ should "parse nested query strings correctly" do
+ Rack::Utils.parse_nested_query("foo").
+ should.equal "foo" => nil
diff --git a/debian/patches/series b/debian/patches/series
index 41e134c..8a096ab 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
0003-Reimplement-auth-scheme-fix.patch
0004-Prevent-symlink-path-traversals.patch
0005-Use-secure_compare-for-hmac-comparison.patch
+1-4-deep_params.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rack.git
More information about the Pkg-ruby-extras-commits
mailing list