[DRE-commits] [ruby-rest-client] 03/06: Remove patch 0001_fix-set-cookie-CVE-2015-1820.patch: merged upstream.

Lucas Nussbaum lucas at moszumanska.debian.org
Tue May 5 14:46:54 UTC 2015


This is an automated email from the git hooks/post-receive script.

lucas pushed a commit to branch master
in repository ruby-rest-client.

commit 0e47bfcb40eee83c73b5c241e7583a1f9347582b
Author: Lucas Nussbaum <lucas at debian.org>
Date:   Tue May 5 15:04:18 2015 +0200

    Remove patch 0001_fix-set-cookie-CVE-2015-1820.patch: merged upstream.
---
 .../0001_fix-set-cookie-CVE-2015-1820.patch        | 173 ---------------------
 debian/patches/series                              |   1 -
 2 files changed, 174 deletions(-)

diff --git a/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch b/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch
deleted file mode 100644
index 4e7c116..0000000
--- a/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-Description: CVE-2015-1820: rest-client passes values from Set-Cookie headers to arbitrary redirection target
- When Ruby rest-client processes an HTTP redirection response, it blindly passes
- along the values from any Set-Cookie headers to the redirection target,
- regardless of domain, path, or expiration.
- .
- This is very similar to CVE-2015-2296, which affected python-requests.
- http://www.openwall.com/lists/oss-security/2015/03/14/4
- .
- The issue could be similarly exploited in the following ways:
- .
- * If you are the redirection source (i.e. you can make rest-client hit your
-   URL), you can make rest-client perform a request to any third-party domain with
-   cookies of your choosing. This may be useful in performing a session fixation
-   attack.
- * If you are the redirection target (i.e. you can make a third-party
-   site redirect to your URL), you can steal any cookies set by the third-party
-   redirection.
- .
-Author: Andy Brody <git at abrody.com>
-Origin: upstream, https://patch-diff.githubusercontent.com/raw/rest-client/rest-client/pull/365.patch
-Bug: https://github.com/rest-client/rest-client/issues/369
-Bug-Debian: https://bugs.debian.org/781238
-Reviewed-By: Sebastien Badia <seb at sebian.fr>
-Last-Update: 2015-04-08
-
---- ruby-rest-client-1.6.7.orig/lib/restclient/abstract_response.rb
-+++ ruby-rest-client-1.6.7/lib/restclient/abstract_response.rb
-@@ -1,10 +1,11 @@
- require 'cgi'
-+require 'http-cookie'
- 
- module RestClient
- 
-   module AbstractResponse
- 
--    attr_reader :net_http_res, :args
-+    attr_reader :net_http_res, :args, :request
- 
-     # HTTP status code
-     def code
-@@ -22,11 +23,36 @@ module RestClient
-       @raw_headers ||= @net_http_res.to_hash
-     end
- 
-+    def response_set_vars(net_http_res, args, request)
-+      @net_http_res = net_http_res
-+      @args = args
-+      @request = request
-+    end
-+
-     # Hash of cookies extracted from response headers
-     def cookies
--      @cookies ||= (self.headers[:set_cookie] || {}).inject({}) do |out, cookie_content|
--        out.merge parse_cookie(cookie_content)
-+      hash = {}
-+
-+      cookie_jar.cookies.each do |cookie|
-+        hash[cookie.name] = cookie.value
-       end
-+
-+      hash
-+    end
-+
-+    # Cookie jar extracted from response headers.
-+    #
-+    # @return [HTTP::CookieJar]
-+    #
-+    def cookie_jar
-+      return @cookie_jar if @cookie_jar
-+
-+      jar = HTTP::CookieJar.new
-+      headers.fetch(:set_cookie, []).each do |cookie|
-+        jar.parse(cookie, @request.url)
-+      end
-+
-+      @cookie_jar = jar
-     end
- 
-     # Return the default behavior corresponding to the response code:
-@@ -61,25 +87,28 @@ module RestClient
- 
-     # Follow a redirection
-     def follow_redirection request = nil, result = nil, & block
-+      new_args = @args.dup
-+
-       url = headers[:location]
-       if url !~ /^http/
--        url = URI.parse(args[:url]).merge(url).to_s
-+        url = URI.parse(request.url).merge(url).to_s
-       end
--      args[:url] = url
-+      new_args[:url] = url
-       if request
-         if request.max_redirects == 0
-           raise MaxRedirectsReached
-         end
--        args[:password] = request.password
--        args[:user] = request.user
--        args[:headers] = request.headers
--        args[:max_redirects] = request.max_redirects - 1
--        # pass any cookie set in the result
--        if result && result['set-cookie']
--          args[:headers][:cookies] = (args[:headers][:cookies] || {}).merge(parse_cookie(result['set-cookie']))
--        end
-+        new_args[:password] = request.password
-+        new_args[:user] = request.user
-+        new_args[:headers] = request.headers
-+        new_args[:max_redirects] = request.max_redirects - 1
-+
-+        # TODO: figure out what to do with original :cookie, :cookies values
-+        new_args[:headers]['Cookie'] = HTTP::Cookie.cookie_value(
-+          cookie_jar.cookies(new_args.fetch(:url)))
-       end
--      Request.execute args, &block
-+
-+      Request.execute(new_args, &block)
-     end
- 
-     def AbstractResponse.beautify_headers(headers)
---- ruby-rest-client-1.6.7.orig/lib/restclient/raw_response.rb
-+++ ruby-rest-client-1.6.7/lib/restclient/raw_response.rb
-@@ -13,12 +13,13 @@ module RestClient
- 
-     include AbstractResponse
- 
--    attr_reader :file
-+    attr_reader :file, :request
- 
--    def initialize tempfile, net_http_res, args
-+    def initialize(tempfile, net_http_res, args, request)
-       @net_http_res = net_http_res
-       @args = args
-       @file = tempfile
-+      @request = request
-     end
- 
-     def to_s
---- ruby-rest-client-1.6.7.orig/lib/restclient/request.rb
-+++ ruby-rest-client-1.6.7/lib/restclient/request.rb
-@@ -219,9 +219,9 @@ module RestClient
-     def process_result res, & block
-       if @raw_response
-         # We don't decode raw requests
--        response = RawResponse.new(@tf, res, args)
-+        response = RawResponse.new(@tf, res, args, self)
-       else
--        response = Response.create(Request.decode(res['content-encoding'], res.body), res, args)
-+        response = Response.create(Request.decode(res['content-encoding'], res.body), res, args, self)
-       end
- 
-       if block_given?
---- ruby-rest-client-1.6.7.orig/lib/restclient/response.rb
-+++ ruby-rest-client-1.6.7/lib/restclient/response.rb
-@@ -6,17 +6,14 @@ module RestClient
- 
-     include AbstractResponse
- 
--    attr_accessor :args, :body, :net_http_res
--
-     def body
-       self
-     end
- 
--    def Response.create body, net_http_res, args
-+    def self.create body, net_http_res, args, request
-       result = body || ''
-       result.extend Response
--      result.net_http_res = net_http_res
--      result.args = args
-+      result.response_set_vars(net_http_res, args, request)
-       result
-     end
- 
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index 31efc66..0000000
--- a/debian/patches/series
+++ /dev/null
@@ -1 +0,0 @@
-0001_fix-set-cookie-CVE-2015-1820.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rest-client.git



More information about the Pkg-ruby-extras-commits mailing list