[DRE-commits] [rails] 01/02: Security updates: CVE-2016-2098, CVE-2016-2097
Antonio Terceiro
terceiro at moszumanska.debian.org
Fri Mar 4 18:31:25 UTC 2016
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch debian/jessie
in repository rails.
commit 49ca47df92c2346af730c5057f00e3a05cebf963
Author: Antonio Terceiro <terceiro at debian.org>
Date: Wed Mar 2 12:06:59 2016 -0300
Security updates: CVE-2016-2098, CVE-2016-2097
---
debian/changelog | 9 ++
debian/patches/CVE-2016-2097.patch | 260 +++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2016-2098.patch | 114 ++++++++++++++++
debian/patches/series | 2 +
4 files changed, 385 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index f5782cd..aa08ba6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+rails (2:4.1.8-1+deb8u2) jessie-security; urgency=high
+
+ * Security updates:
+ - [CVE-2016-2098] Possible remote code execution vulnerability in Action
+ Pack
+ - [CVE-2016-2097] Possible Information Leak Vulnerability in Action View.
+
+ -- Antonio Terceiro <terceiro at debian.org> Wed, 02 Mar 2016 12:03:46 -0300
+
rails (2:4.1.8-1+deb8u1) jessie-security; urgency=high
* Security updates:
diff --git a/debian/patches/CVE-2016-2097.patch b/debian/patches/CVE-2016-2097.patch
new file mode 100644
index 0000000..cd7e5d8
--- /dev/null
+++ b/debian/patches/CVE-2016-2097.patch
@@ -0,0 +1,260 @@
+From 1a65dd1c21cb7a70db054793deeb19dea1b357cf Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Tue, 26 Jan 2016 17:06:31 -0800
+Subject: [PATCH 1/2] Change render "foo" to render a template and not a file.
+
+Previously, calling `render "foo/bar"` in a controller action is
+equivalent to `render file: "foo/bar"`. This has been changed to
+mean `render template: "foo/bar"` instead. If you need to render a
+file, please change your code to use the explicit form
+(`render file: "foo/bar"`) instead.
+
+Test that we are not allowing you to grab a file with an absolute path
+outside of your application directory. This is dangerous because it
+could be used to retrieve files from the server like `/etc/passwd`.
+
+Fix CVE-2016-2097.
+---
+ .../test/controller/new_base/render_file_test.rb | 29 ----------------------
+ .../controller/new_base/render_template_test.rb | 9 +++++++
+ actionpack/test/controller/render_test.rb | 17 +++++++++++++
+ actionview/CHANGELOG.md | 10 ++++++++
+ actionview/lib/action_view/rendering.rb | 4 +--
+ .../test/actionpack/controller/render_test.rb | 23 ++++-------------
+ 6 files changed, 43 insertions(+), 49 deletions(-)
+
+diff --git a/actionpack/test/controller/new_base/render_file_test.rb b/actionpack/test/controller/new_base/render_file_test.rb
+index a961cbf..0c21bb0 100644
+--- a/actionpack/test/controller/new_base/render_file_test.rb
++++ b/actionpack/test/controller/new_base/render_file_test.rb
+@@ -13,15 +13,6 @@ module RenderFile
+ render :file => File.join(File.dirname(__FILE__), '../../fixtures/test/render_file_with_ivar')
+ end
+
+- def without_file_key
+- render File.join(File.dirname(__FILE__), *%w[.. .. fixtures test hello_world])
+- end
+-
+- def without_file_key_with_instance_variable
+- @secret = 'in the sauce'
+- render File.join(File.dirname(__FILE__), '../../fixtures/test/render_file_with_ivar')
+- end
+-
+ def relative_path
+ @secret = 'in the sauce'
+ render :file => '../../fixtures/test/render_file_with_ivar'
+@@ -41,11 +32,6 @@ module RenderFile
+ path = File.join(File.dirname(__FILE__), '../../fixtures/test/render_file_with_locals')
+ render :file => path, :locals => {:secret => 'in the sauce'}
+ end
+-
+- def without_file_key_with_locals
+- path = FIXTURES.join('test/render_file_with_locals').to_s
+- render path, :locals => {:secret => 'in the sauce'}
+- end
+ end
+
+ class TestBasic < Rack::TestCase
+@@ -61,16 +47,6 @@ module RenderFile
+ assert_response "The secret is in the sauce\n"
+ end
+
+- test "rendering path without specifying the :file key" do
+- get :without_file_key
+- assert_response "Hello world!"
+- end
+-
+- test "rendering path without specifying the :file key with ivar" do
+- get :without_file_key_with_instance_variable
+- assert_response "The secret is in the sauce\n"
+- end
+-
+ test "rendering a relative path" do
+ get :relative_path
+ assert_response "The secret is in the sauce\n"
+@@ -90,10 +66,5 @@ module RenderFile
+ get :with_locals
+ assert_response "The secret is in the sauce\n"
+ end
+-
+- test "rendering path without specifying the :file key with locals" do
+- get :without_file_key_with_locals
+- assert_response "The secret is in the sauce\n"
+- end
+ end
+ end
+diff --git a/actionpack/test/controller/new_base/render_template_test.rb b/actionpack/test/controller/new_base/render_template_test.rb
+index b7a9cf9..b0c4efb 100644
+--- a/actionpack/test/controller/new_base/render_template_test.rb
++++ b/actionpack/test/controller/new_base/render_template_test.rb
+@@ -45,6 +45,10 @@ module RenderTemplate
+ render :template => "locals", :locals => { :secret => 'area51' }
+ end
+
++ def with_locals_without_key
++ render "locals", :locals => { :secret => 'area51' }
++ end
++
+ def builder_template
+ render :template => "xml_template"
+ end
+@@ -101,6 +105,11 @@ module RenderTemplate
+ assert_response "The secret is area51"
+ end
+
++ test "rendering a template with local variables without key" do
++ get :with_locals
++ assert_response "The secret is area51"
++ end
++
+ test "rendering a builder template" do
+ get :builder_template, "format" => "xml"
+ assert_response "<html>\n <p>Hello</p>\n</html>\n"
+diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
+index 17a019e..0fcbb86 100644
+--- a/actionpack/test/controller/render_test.rb
++++ b/actionpack/test/controller/render_test.rb
+@@ -261,6 +261,11 @@ end
+ class ExpiresInRenderTest < ActionController::TestCase
+ tests TestController
+
++ def setup
++ super
++ ActionController::Base.view_paths.paths.each(&:clear_cache)
++ end
++
+ def test_dynamic_render_with_file
+ # This is extremely bad, but should be possible to do.
+ assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
+@@ -269,6 +274,18 @@ class ExpiresInRenderTest < ActionController::TestCase
+ response.body
+ end
+
++ def test_dynamic_render_with_absolute_path
++ file = Tempfile.new('name')
++ file.write "secrets!"
++ file.flush
++ assert_raises ActionView::MissingTemplate do
++ get :dynamic_render, { id: file.path }
++ end
++ ensure
++ file.close
++ file.unlink
++ end
++
+ def test_dynamic_render
+ assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
+ assert_raises ActionView::MissingTemplate do
+diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
+index 80a2a5e..05bda0d 100644
+--- a/actionview/CHANGELOG.md
++++ b/actionview/CHANGELOG.md
+@@ -1,3 +1,13 @@
++* Changed the meaning of `render "foo/bar"`.
++
++ Previously, calling `render "foo/bar"` in a controller action is equivalent
++ to `render file: "foo/bar"`. This has been changed to mean
++ `render template: "foo/bar"` instead. If you need to render a file, please
++ change your code to use the explicit form (`render file: "foo/bar"`) instead.
++
++ *Eileen Uchitelle*
++
++
+ ## Rails 4.1.14 (November 12, 2015) ##
+
+ * Fix `mail_to` when called with `nil` as argument.
+diff --git a/actionview/lib/action_view/rendering.rb b/actionview/lib/action_view/rendering.rb
+index 017302d..6283830 100644
+--- a/actionview/lib/action_view/rendering.rb
++++ b/actionview/lib/action_view/rendering.rb
+@@ -107,7 +107,7 @@ module ActionView
+ end
+
+ # Normalize args by converting render "foo" to render :action => "foo" and
+- # render "foo/bar" to render :file => "foo/bar".
++ # render "foo/bar" to render :template => "foo/bar".
+ # :api: private
+ def _normalize_args(action=nil, options={})
+ options = super(action, options)
+@@ -117,7 +117,7 @@ module ActionView
+ options = action
+ when String, Symbol
+ action = action.to_s
+- key = action.include?(?/) ? :file : :action
++ key = action.include?(?/) ? :template : :action
+ options[key] = action
+ else
+ options[:partial] = action
+diff --git a/actionview/test/actionpack/controller/render_test.rb b/actionview/test/actionpack/controller/render_test.rb
+index 45b8049..a9991fe 100644
+--- a/actionview/test/actionpack/controller/render_test.rb
++++ b/actionview/test/actionpack/controller/render_test.rb
+@@ -91,17 +91,17 @@ class TestController < ApplicationController
+
+ # :ported:
+ def render_hello_world
+- render :template => "test/hello_world"
++ render "test/hello_world"
+ end
+
+ def render_hello_world_with_last_modified_set
+ response.last_modified = Date.new(2008, 10, 10).to_time
+- render :template => "test/hello_world"
++ render "test/hello_world"
+ end
+
+ # :ported: compatibility
+ def render_hello_world_with_forward_slash
+- render :template => "/test/hello_world"
++ render "/test/hello_world"
+ end
+
+ # :ported:
+@@ -111,7 +111,7 @@ class TestController < ApplicationController
+
+ # :deprecated:
+ def render_template_in_top_directory_with_slash
+- render :template => '/shared'
++ render '/shared'
+ end
+
+ # :ported:
+@@ -160,13 +160,6 @@ class TestController < ApplicationController
+ end
+
+ # :ported:
+- def render_file_as_string_with_instance_variables
+- @secret = 'in the sauce'
+- path = File.expand_path(File.join(File.dirname(__FILE__), '../../fixtures/test/render_file_with_ivar'))
+- render path
+- end
+-
+- # :ported:
+ def render_file_not_using_full_path
+ @secret = 'in the sauce'
+ render :file => 'test/render_file_with_ivar'
+@@ -194,7 +187,7 @@ class TestController < ApplicationController
+
+ def render_file_as_string_with_locals
+ path = File.expand_path(File.join(File.dirname(__FILE__), '../../fixtures/test/render_file_with_locals'))
+- render path, :locals => {:secret => 'in the sauce'}
++ render file: path, :locals => {:secret => 'in the sauce'}
+ end
+
+ def accessing_request_in_template
+@@ -781,12 +774,6 @@ class RenderTest < ActionController::TestCase
+ end
+
+ # :ported:
+- def test_render_file_as_string_with_instance_variables
+- get :render_file_as_string_with_instance_variables
+- assert_equal "The secret is in the sauce\n", @response.body
+- end
+-
+- # :ported:
+ def test_render_file_not_using_full_path
+ get :render_file_not_using_full_path
+ assert_equal "The secret is in the sauce\n", @response.body
+--
+2.7.0
+
diff --git a/debian/patches/CVE-2016-2098.patch b/debian/patches/CVE-2016-2098.patch
new file mode 100644
index 0000000..41913d4
--- /dev/null
+++ b/debian/patches/CVE-2016-2098.patch
@@ -0,0 +1,114 @@
+From 1b84d905801125fcca0c8f43bf6af7d7872ac87e Mon Sep 17 00:00:00 2001
+From: Arthur Neves <arthurnn at gmail.com>
+Date: Wed, 24 Feb 2016 20:29:10 -0500
+Subject: [PATCH 2/2] Don't allow render(params) on views.
+
+If `render(params)` is called in a view it should be protected the same
+ way it is in the controllers. We should raise an error if thats happens.
+
+Fix CVE-2016-2098.
+---
+ actionpack/test/controller/render_test.rb | 24 +++++++++++++++++++++++-
+ actionview/lib/action_view/renderer/renderer.rb | 4 ++++
+ actionview/test/template/render_test.rb | 19 +++++++++++++++++++
+ 3 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
+index 0fcbb86..7bdf65c 100644
+--- a/actionpack/test/controller/render_test.rb
++++ b/actionpack/test/controller/render_test.rb
+@@ -258,6 +258,16 @@ class MetalTestController < ActionController::Metal
+ end
+ end
+
++class MetalWithoutAVTestController < ActionController::Metal
++ include AbstractController::Rendering
++ include ActionController::Rendering
++ include ActionController::StrongParameters
++
++ def dynamic_params_render
++ render params
++ end
++end
++
+ class ExpiresInRenderTest < ActionController::TestCase
+ tests TestController
+
+@@ -294,9 +304,10 @@ class ExpiresInRenderTest < ActionController::TestCase
+ end
+
+ def test_dynamic_render_file_hash
+- assert_raises ArgumentError do
++ e = assert_raises ArgumentError do
+ get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }
+ end
++ assert_equal "render parameters are not permitted", e.message
+ end
+
+ def test_expires_in_header
+@@ -473,6 +484,17 @@ class MetalRenderTest < ActionController::TestCase
+ end
+ end
+
++class MetalRenderWithoutAVTest < ActionController::TestCase
++ tests MetalWithoutAVTestController
++
++ def test_dynamic_params_render
++ e = assert_raises ArgumentError do
++ get :dynamic_params_render, { inline: '<%= RUBY_VERSION %>' }
++ end
++ assert_equal "render parameters are not permitted", e.message
++ end
++end
++
+ class HeadRenderTest < ActionController::TestCase
+ tests TestController
+
+diff --git a/actionview/lib/action_view/renderer/renderer.rb b/actionview/lib/action_view/renderer/renderer.rb
+index 964b183..5ba7b2b 100644
+--- a/actionview/lib/action_view/renderer/renderer.rb
++++ b/actionview/lib/action_view/renderer/renderer.rb
+@@ -17,6 +17,10 @@ module ActionView
+
+ # Main render entry point shared by AV and AC.
+ def render(context, options)
++ if options.respond_to?(:permitted?) && !options.permitted?
++ raise ArgumentError, "render parameters are not permitted"
++ end
++
+ if options.key?(:partial)
+ render_partial(context, options)
+ else
+diff --git a/actionview/test/template/render_test.rb b/actionview/test/template/render_test.rb
+index caf6d13..b3de94f 100644
+--- a/actionview/test/template/render_test.rb
++++ b/actionview/test/template/render_test.rb
+@@ -149,6 +149,25 @@ module RenderTestCases
+ end
+ end
+
++ def test_render_with_strong_parameters
++ params = { :inline => '<%= RUBY_VERSION %>' }
++ def params.permitted?
++ false
++ end
++ e = assert_raises ArgumentError do
++ @view.render(params)
++ end
++ assert_equal "render parameters are not permitted", e.message
++ end
++
++ def test_render_with_permitted_strong_parameters
++ params = { inline: "<%= 'hello' %>" }
++ def params.permitted?
++ true
++ end
++ assert_equal 'hello', @view.render(params)
++ end
++
+ def test_render_partial
+ assert_equal "only partial", @view.render(:partial => "test/partial_only")
+ end
+--
+2.5.4 (Apple Git-61)
+
diff --git a/debian/patches/series b/debian/patches/series
index 59c5cd6..2712fbb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,5 @@ CVE-2015-7581.patch
CVE-2016-0751.patch
CVE-2016-0752.patch
CVE-2016-0753.patch
+CVE-2016-2097.patch
+CVE-2016-2098.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/rails.git
More information about the Pkg-ruby-extras-commits
mailing list