[DRE-commits] [ruby-rest-client] 03/06: Remove patch 0001_fix-set-cookie-CVE-2015-1820.patch: merged upstream.
Lucas Nussbaum
lucas at moszumanska.debian.org
Tue May 5 14:46:54 UTC 2015
This is an automated email from the git hooks/post-receive script.
lucas pushed a commit to branch master
in repository ruby-rest-client.
commit 0e47bfcb40eee83c73b5c241e7583a1f9347582b
Author: Lucas Nussbaum <lucas at debian.org>
Date: Tue May 5 15:04:18 2015 +0200
Remove patch 0001_fix-set-cookie-CVE-2015-1820.patch: merged upstream.
---
.../0001_fix-set-cookie-CVE-2015-1820.patch | 173 ---------------------
debian/patches/series | 1 -
2 files changed, 174 deletions(-)
diff --git a/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch b/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch
deleted file mode 100644
index 4e7c116..0000000
--- a/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-Description: CVE-2015-1820: rest-client passes values from Set-Cookie headers to arbitrary redirection target
- When Ruby rest-client processes an HTTP redirection response, it blindly passes
- along the values from any Set-Cookie headers to the redirection target,
- regardless of domain, path, or expiration.
- .
- This is very similar to CVE-2015-2296, which affected python-requests.
- http://www.openwall.com/lists/oss-security/2015/03/14/4
- .
- The issue could be similarly exploited in the following ways:
- .
- * If you are the redirection source (i.e. you can make rest-client hit your
- URL), you can make rest-client perform a request to any third-party domain with
- cookies of your choosing. This may be useful in performing a session fixation
- attack.
- * If you are the redirection target (i.e. you can make a third-party
- site redirect to your URL), you can steal any cookies set by the third-party
- redirection.
- .
-Author: Andy Brody <git at abrody.com>
-Origin: upstream, https://patch-diff.githubusercontent.com/raw/rest-client/rest-client/pull/365.patch
-Bug: https://github.com/rest-client/rest-client/issues/369
-Bug-Debian: https://bugs.debian.org/781238
-Reviewed-By: Sebastien Badia <seb at sebian.fr>
-Last-Update: 2015-04-08
-
---- ruby-rest-client-1.6.7.orig/lib/restclient/abstract_response.rb
-+++ ruby-rest-client-1.6.7/lib/restclient/abstract_response.rb
-@@ -1,10 +1,11 @@
- require 'cgi'
-+require 'http-cookie'
-
- module RestClient
-
- module AbstractResponse
-
-- attr_reader :net_http_res, :args
-+ attr_reader :net_http_res, :args, :request
-
- # HTTP status code
- def code
-@@ -22,11 +23,36 @@ module RestClient
- @raw_headers ||= @net_http_res.to_hash
- end
-
-+ def response_set_vars(net_http_res, args, request)
-+ @net_http_res = net_http_res
-+ @args = args
-+ @request = request
-+ end
-+
- # Hash of cookies extracted from response headers
- def cookies
-- @cookies ||= (self.headers[:set_cookie] || {}).inject({}) do |out, cookie_content|
-- out.merge parse_cookie(cookie_content)
-+ hash = {}
-+
-+ cookie_jar.cookies.each do |cookie|
-+ hash[cookie.name] = cookie.value
- end
-+
-+ hash
-+ end
-+
-+ # Cookie jar extracted from response headers.
-+ #
-+ # @return [HTTP::CookieJar]
-+ #
-+ def cookie_jar
-+ return @cookie_jar if @cookie_jar
-+
-+ jar = HTTP::CookieJar.new
-+ headers.fetch(:set_cookie, []).each do |cookie|
-+ jar.parse(cookie, @request.url)
-+ end
-+
-+ @cookie_jar = jar
- end
-
- # Return the default behavior corresponding to the response code:
-@@ -61,25 +87,28 @@ module RestClient
-
- # Follow a redirection
- def follow_redirection request = nil, result = nil, & block
-+ new_args = @args.dup
-+
- url = headers[:location]
- if url !~ /^http/
-- url = URI.parse(args[:url]).merge(url).to_s
-+ url = URI.parse(request.url).merge(url).to_s
- end
-- args[:url] = url
-+ new_args[:url] = url
- if request
- if request.max_redirects == 0
- raise MaxRedirectsReached
- end
-- args[:password] = request.password
-- args[:user] = request.user
-- args[:headers] = request.headers
-- args[:max_redirects] = request.max_redirects - 1
-- # pass any cookie set in the result
-- if result && result['set-cookie']
-- args[:headers][:cookies] = (args[:headers][:cookies] || {}).merge(parse_cookie(result['set-cookie']))
-- end
-+ new_args[:password] = request.password
-+ new_args[:user] = request.user
-+ new_args[:headers] = request.headers
-+ new_args[:max_redirects] = request.max_redirects - 1
-+
-+ # TODO: figure out what to do with original :cookie, :cookies values
-+ new_args[:headers]['Cookie'] = HTTP::Cookie.cookie_value(
-+ cookie_jar.cookies(new_args.fetch(:url)))
- end
-- Request.execute args, &block
-+
-+ Request.execute(new_args, &block)
- end
-
- def AbstractResponse.beautify_headers(headers)
---- ruby-rest-client-1.6.7.orig/lib/restclient/raw_response.rb
-+++ ruby-rest-client-1.6.7/lib/restclient/raw_response.rb
-@@ -13,12 +13,13 @@ module RestClient
-
- include AbstractResponse
-
-- attr_reader :file
-+ attr_reader :file, :request
-
-- def initialize tempfile, net_http_res, args
-+ def initialize(tempfile, net_http_res, args, request)
- @net_http_res = net_http_res
- @args = args
- @file = tempfile
-+ @request = request
- end
-
- def to_s
---- ruby-rest-client-1.6.7.orig/lib/restclient/request.rb
-+++ ruby-rest-client-1.6.7/lib/restclient/request.rb
-@@ -219,9 +219,9 @@ module RestClient
- def process_result res, & block
- if @raw_response
- # We don't decode raw requests
-- response = RawResponse.new(@tf, res, args)
-+ response = RawResponse.new(@tf, res, args, self)
- else
-- response = Response.create(Request.decode(res['content-encoding'], res.body), res, args)
-+ response = Response.create(Request.decode(res['content-encoding'], res.body), res, args, self)
- end
-
- if block_given?
---- ruby-rest-client-1.6.7.orig/lib/restclient/response.rb
-+++ ruby-rest-client-1.6.7/lib/restclient/response.rb
-@@ -6,17 +6,14 @@ module RestClient
-
- include AbstractResponse
-
-- attr_accessor :args, :body, :net_http_res
--
- def body
- self
- end
-
-- def Response.create body, net_http_res, args
-+ def self.create body, net_http_res, args, request
- result = body || ''
- result.extend Response
-- result.net_http_res = net_http_res
-- result.args = args
-+ result.response_set_vars(net_http_res, args, request)
- result
- end
-
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index 31efc66..0000000
--- a/debian/patches/series
+++ /dev/null
@@ -1 +0,0 @@
-0001_fix-set-cookie-CVE-2015-1820.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rest-client.git
More information about the Pkg-ruby-extras-commits
mailing list