rpms/rubygem-actionpack/devel rubygem-actionpack-2.3.4-rack-compat.patch, NONE, 1.1 rubygem-actionpack-2.3.x-CVE-2009-4214.patch, NONE, 1.1 rubygem-actionpack.spec, 1.14, 1.15
Mamoru Tasaka
mtasaka at fedoraproject.org
Thu Jan 7 15:02:11 UTC 2010
Author: mtasaka
Update of /cvs/extras/rpms/rubygem-actionpack/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12921
Modified Files:
rubygem-actionpack.spec
Added Files:
rubygem-actionpack-2.3.4-rack-compat.patch
rubygem-actionpack-2.3.x-CVE-2009-4214.patch
Log Message:
* Fri Jan 8 2010 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 1:2.3.4-4
- Workaround patch to fix for rack 1.1.0 dependency (bug 552972)
rubygem-actionpack-2.3.4-rack-compat.patch:
Rakefile | 2 +-
lib/action_controller.rb | 2 +-
lib/action_controller/integration.rb | 22 +++++++++++++++++++---
lib/action_controller/response.rb | 13 +++++++++++++
test/controller/integration_test.rb | 4 +++-
test/controller/rack_test.rb | 21 ++++++++++++++++++---
test/controller/session/cookie_store_test.rb | 6 ++++--
7 files changed, 59 insertions(+), 11 deletions(-)
--- NEW FILE rubygem-actionpack-2.3.4-rack-compat.patch ---
--- Rakefile.debug 2010-01-07 03:03:57.000000000 +0900
+++ Rakefile 2010-01-07 03:05:36.000000000 +0900
@@ -80,7 +80,7 @@
s.requirements << 'none'
s.add_dependency('activesupport', '= 2.3.4' + PKG_BUILD)
- s.add_dependency('rack', '~> 1.0.0')
+ s.add_dependency('rack', '>= 1.0.0')
s.require_path = 'lib'
s.autorequire = 'action_controller'
--- lib/action_controller.rb.debug 2010-01-07 03:03:57.000000000 +0900
+++ lib/action_controller.rb 2010-01-07 03:05:36.000000000 +0900
@@ -31,7 +31,7 @@
end
end
-gem 'rack', '~> 1.0.0'
+gem 'rack', '>= 1.0.0'
require 'rack'
module ActionController
--- lib/action_controller/integration.rb.debug 2010-01-07 03:03:57.000000000 +0900
+++ lib/action_controller/integration.rb 2010-01-07 18:46:03.000000000 +0900
@@ -320,9 +320,25 @@
@headers = Rack::Utils::HeaderHash.new(headers)
- (@headers['Set-Cookie'] || "").split("\n").each do |cookie|
- name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2]
- @cookies[name] = value
+ # Umm.. it seems that with rack 1.1.0 @headers is an array
+ # instead of a string which rack 1.0.0 returned
+ # FIXME!!
+
+ headers_cookie = @headers['Set-Cookie']
+ if headers_cookie.is_a?(Array)
+ headers_cookie.each do |cookie_arr|
+ cookie_arr.split("\n").each do |cookie|
+ name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2]
+ @cookies[name] = value
+ end
+ end
+
+ else
+
+ (headers_cookie || "").split("\n").each do |cookie|
+ name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2]
+ @cookies[name] = value
+ end
end
@body = ""
--- lib/action_controller/response.rb.debug 2010-01-07 03:03:57.000000000 +0900
+++ lib/action_controller/response.rb 2010-01-07 19:40:44.000000000 +0900
@@ -112,6 +112,12 @@
end
def etag?
+
+ # FIXME!!
+ if Rack::VERSION[0] == 1 && Rack::VERSION[1] >= 1
+ return headers.include?('ETag') && !headers['ETag'].nil?
+ end
+
headers.include?('ETag')
end
@@ -218,8 +224,15 @@
# Don't set the Content-Length for block-based bodies as that would mean
# reading it all into memory. Not nice for, say, a 2GB streaming file.
def set_content_length!
+
+ ## FIXME
+
if status && status.to_s[0..2] == '204'
headers.delete('Content-Length')
+
+ elsif Rack::VERSION[0] == 1 && Rack::VERSION[1] >= 1 && status && status.to_s[0..2] == '304'
+ headers.delete('Content-Length')
+
elsif length = headers['Content-Length']
headers['Content-Length'] = length.to_s
elsif !body.respond_to?(:call) && (!status || status.to_s[0..2] != '304')
--- test/controller/integration_test.rb.debug 2010-01-07 03:03:57.000000000 +0900
+++ test/controller/integration_test.rb 2010-01-07 05:44:37.000000000 +0900
@@ -306,7 +306,9 @@
assert_equal "Gone", status_message
assert_response 410
assert_response :gone
- assert_equal "cookie_1=; path=/\ncookie_3=chocolate; path=/", headers["Set-Cookie"]
+ # Okay if cookies coincides.
+ # With rake 1.1.0 headers["Set-Cookie"] is an array instread of a string
+ #assert_equal "cookie_1=; path=/\ncookie_3=chocolate; path=/", headers["Set-Cookie"]
assert_equal({"cookie_1"=>"", "cookie_2"=>"oatmeal", "cookie_3"=>"chocolate"}, cookies)
assert_equal "Gone", response.body
end
--- test/controller/rack_test.rb.debug 2010-01-07 03:03:57.000000000 +0900
+++ test/controller/rack_test.rb 2010-01-07 05:40:49.000000000 +0900
@@ -215,11 +215,16 @@
status, headers, body = @response.to_a
assert_equal 200, status
+ if headers['Set-Cookie'].is_a?(Array)
+ cookie_must = []
+ else
+ cookie_must = ""
+ end
assert_equal({
"Content-Type" => "text/html; charset=utf-8",
"Cache-Control" => "private, max-age=0, must-revalidate",
"ETag" => '"65a8e27d8879283831b664bd8b7f0ad4"',
- "Set-Cookie" => "",
+ "Set-Cookie" => cookie_must,
"Content-Length" => "13"
}, headers)
@@ -234,11 +239,16 @@
status, headers, body = @response.to_a
assert_equal 200, status
+ if headers['Set-Cookie'].is_a?(Array)
+ cookie_must = []
+ else
+ cookie_must = ""
+ end
assert_equal({
"Content-Type" => "text/html; charset=utf-8",
"Cache-Control" => "private, max-age=0, must-revalidate",
"ETag" => '"ebb5e89e8a94e9dd22abf5d915d112b2"',
- "Set-Cookie" => "",
+ "Set-Cookie" => cookie_must,
"Content-Length" => "8"
}, headers)
end
@@ -251,10 +261,15 @@
status, headers, body = @response.to_a
assert_equal 200, status
+ if headers['Set-Cookie'].is_a?(Array)
+ cookie_must = []
+ else
+ cookie_must = ""
+ end
assert_equal({
"Content-Type" => "text/html; charset=utf-8",
"Cache-Control" => "no-cache",
- "Set-Cookie" => ""
+ "Set-Cookie" => cookie_must
}, headers)
parts = []
--- test/controller/session/cookie_store_test.rb.debug 2010-01-07 03:03:57.000000000 +0900
+++ test/controller/session/cookie_store_test.rb 2010-01-07 05:47:37.000000000 +0900
@@ -145,7 +145,8 @@
with_test_route_set do
get '/no_session_access'
assert_response :success
- assert_equal "", headers['Set-Cookie']
+ #assert_equal "", headers['Set-Cookie']
+ assert headers['Set-Cookie'].empty?
end
end
@@ -155,7 +156,8 @@
"fef868465920f415f2c0652d6910d3af288a0367"
get '/no_session_access'
assert_response :success
- assert_equal "", headers['Set-Cookie']
+ #assert_equal "", headers['Set-Cookie']
+ assert headers['Set-Cookie'].empty?
end
end
rubygem-actionpack-2.3.x-CVE-2009-4214.patch:
lib/action_controller/vendor/html-scanner/html/node.rb | 2 +-
test/controller/html-scanner/sanitizer_test.rb | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE rubygem-actionpack-2.3.x-CVE-2009-4214.patch ---
>From bfe032858077bb2946abe25e95e485ba6da86bd5 Mon Sep 17 00:00:00 2001
From: Gabe da Silveira <gabe at websaviour.com>
Date: Mon, 16 Nov 2009 21:17:35 -0800
Subject: [PATCH] Make sure strip_tags removes tags which start with a non-printable character
Signed-off-by: Michael Koziarski <michael at koziarski.com>
---
.../vendor/html-scanner/html/node.rb | 2 +-
.../test/controller/html-scanner/sanitizer_test.rb | 1 +
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
index 6c03316..0cd05d8 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -162,7 +162,7 @@ module HTML #:nodoc:
end
closing = ( scanner.scan(/\//) ? :close : nil )
- return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+ return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
name.downcase!
unless closing
diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb
index e85a5c7..1923544 100644
--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -19,6 +19,7 @@ class SanitizerTest < ActionController::TestCase
assert_equal "This has a here.", sanitizer.sanitize("This has a <!-- comment --> here.")
assert_equal "This has a here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
+ assert_equal "non printable char is a tag", sanitizer.sanitize("<\x07a href='/hello'>non printable char is a tag</a>")
[nil, '', ' '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
end
--
1.6.0.1
Index: rubygem-actionpack.spec
===================================================================
RCS file: /cvs/extras/rpms/rubygem-actionpack/devel/rubygem-actionpack.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -p -r1.14 -r1.15
--- rubygem-actionpack.spec 7 Oct 2009 23:12:56 -0000 1.14
+++ rubygem-actionpack.spec 7 Jan 2010 15:02:11 -0000 1.15
@@ -10,12 +10,17 @@ Summary: Web-flow and rendering framewor
Name: rubygem-%{gemname}
Epoch: 1
Version: 2.3.4
-Release: 2%{?dist}
+Release: 4%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.gem
Patch0: rubygem-actionpack-2.3.4-enable-test.patch
+Patch1: rubygem-actionpack-2.3.x-CVE-2009-4214.patch
+#
+# Please someone fix the following Patch2!! (mtasaka)
+#
+Patch2: rubygem-actionpack-2.3.4-rack-compat.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
@@ -43,8 +48,14 @@ gem install --local --install-dir .%{gem
-V \
--force --rdoc %{SOURCE0}
+# forcely modify gemspec for rack dependency
+sed -i -e '/rack/s|~>|>=|' \
+ ./%{gemdir}/specifications/*gemspec
+
pushd .%{geminstdir}
%patch0 -p0
+%patch1 -p2
+%patch2 -p0
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -110,6 +121,12 @@ rake test --trace
%changelog
+* Fri Jan 8 2010 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 1:2.3.4-4
+- Workaround patch to fix for rack 1.1.0 dependency (bug 552972)
+
+* Thu Dec 10 2009 David Lutterkort <lutter at redhat.com> - 1:2.3.4-3
+- Patch for CVE-2009-4214 (bz 542786)
+
* Wed Oct 7 2009 David Lutterkort <lutter at redhat.com> - 1:2.3.4-2
- Bump Epoch to ensure upgrade path from F-11
More information about the fedora-extras-commits
mailing list