!38 Fix CVE-2023-28362

From: @wk333 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2023-28362-test.patch

@@ -0,0 +1,36 @@
+
+diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
+index e218ef35e483b..c088d96413132 100644
+--- a/actionpack/test/controller/redirect_test.rb
++++ b/actionpack/test/controller/redirect_test.rb
+@@ -153,6 +153,11 @@ def redirect_with_null_bytes
+     redirect_to "\000/lol\r\nwat"
+   end
+ 
++  def unsafe_redirect_with_illegal_http_header_value_character
++    redirect_to "javascript:alert(document.domain)\b"
++  end
++
++
+   def rescue_errors(e) raise e end
+ 
+   private
+@@ -437,6 +442,18 @@ def test_redirect_to_with_block_and_accepted_options
+       assert_redirected_to "http://test.host/redirect/hello_world"
+     end
+   end
++
++  def test_unsafe_redirect_with_illegal_http_header_value_character
++    error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
++      get :unsafe_redirect_with_illegal_http_header_value_character
++    end
++
++    msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \
++      "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
++
++    assert_equal msg, error.message
++  end
++
+ end
+ 
+ module ModuleTest

CVE-2023-28362.patch

@@ -0,0 +1,71 @@
+From 1c3f93d1e90a3475f9ae2377ead25ccf11f71441 Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Fri, 12 May 2023 13:04:22 -0400
+Subject: [PATCH] Added check for illegal HTTP header value in redirect_to
+
+The set of legal characters for an HTTP header value is described
+in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6.
+
+This commit adds a check to redirect_to that ensures the
+provided URL does not contain any of the illegal characters.
+
+Downstream consumers of the resulting Location response header
+may remove the header if it does not comply with the RFC.
+This can result in a cross site scripting (XSS) vector by
+allowing for the redirection page to sit idle waiting
+for user interaction with the provided malicious link.
+
+[CVE-2023-28362]
+
+Origin: https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
+
+---
+ .../action_controller/metal/redirecting.rb    | 21 ++++++++++++++++++-
+ actionpack/test/controller/redirect_test.rb   | 17 +++++++++++++++
+ 2 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
+index 11d462855d064..fdd3f9dc44149 100644
+--- a/actionpack/lib/action_controller/metal/redirecting.rb
++++ b/actionpack/lib/action_controller/metal/redirecting.rb
+@@ -7,6 +7,10 @@ module Redirecting
+     include AbstractController::Logger
+     include ActionController::UrlFor
+ 
++    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
++
++    class UnsafeRedirectError < StandardError; end
++
+     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+     #
+     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
+@@ -60,7 +64,11 @@ def redirect_to(options = {}, response_options = {})
+       raise AbstractController::DoubleRenderError if response_body
+ 
+       self.status        = _extract_redirect_to_status(options, response_options)
+-      self.location      = _compute_redirect_to_location(request, options)
++
++      redirect_to_location = _compute_redirect_to_location(request, options)
++      _ensure_url_is_http_header_safe(redirect_to_location)
++
++      self.location      = redirect_to_location
+       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+     end
+ 
+@@ -129,5 +137,16 @@ def _url_host_allowed?(url)
+       rescue ArgumentError, URI::Error
+         false
+       end
++
++      def _ensure_url_is_http_header_safe(url)
++        # Attempt to comply with the set of valid token characters
++        # defined for an HTTP header value in
++        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
++        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
++          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
++            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
++          raise UnsafeRedirectError, msg
++        end
++      end
+   end
+ end

rubygem-actionpack.spec

@@ -4,13 +4,15 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	6.1.4.1
-Release: 	2
+Release: 	3
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
 Source0: 	https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1: 	%{gem_name}-%{version}-tests.txz
 Source2: 	rails-%{version}-tools.txz
+Patch0: 	CVE-2023-28362.patch
+Patch1: 	CVE-2023-28362-test.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@@ -48,6 +50,11 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
+%patch0 -p2
+pushd %{_builddir}
+%patch1 -p2
+popd
+
 
 %build
 gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec
@@ -89,6 +96,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-3
+- Fix CVE-2023-28362
+
 * Thu Oct 20 2022 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-2
 - Fix compilation failed