Fix CVE-2023-28362

2023-07-24 11:37:22 +08:00 · 2023-07-24 11:37:22 +08:00 · e2f2f5e2d2
commit e2f2f5e2d2
parent 033f4f61b3
3 changed files with 118 additions and 1 deletions
--- a/CVE-2023-28362-test.patch
+++ b/CVE-2023-28362-test.patch
@ -0,0 +1,36 @@
+
+diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
+index e218ef35e483b..c088d96413132 100644
+--- a/actionpack/test/controller/redirect_test.rb
+++ b/actionpack/test/controller/redirect_test.rb
+@@ -153,6 +153,11 @@ def redirect_with_null_bytes
+     redirect_to "\000/lol\r\nwat"
+   end
+ 
+  def unsafe_redirect_with_illegal_http_header_value_character
+    redirect_to "javascript:alert(document.domain)\b"
+  end
+
+
+   def rescue_errors(e) raise e end
+ 
+   private
+@@ -437,6 +442,18 @@ def test_redirect_to_with_block_and_accepted_options
+       assert_redirected_to "http://test.host/redirect/hello_world"
+     end
+   end
+
+  def test_unsafe_redirect_with_illegal_http_header_value_character
+    error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
+      get :unsafe_redirect_with_illegal_http_header_value_character
+    end
+
+    msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \
+      "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+
+    assert_equal msg, error.message
+  end
+
+ end
+ 
+ module ModuleTest
--- a/CVE-2023-28362.patch
+++ b/CVE-2023-28362.patch
@ -0,0 +1,71 @@
+From 1c3f93d1e90a3475f9ae2377ead25ccf11f71441 Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Fri, 12 May 2023 13:04:22 -0400
+Subject: [PATCH] Added check for illegal HTTP header value in redirect_to
+
+The set of legal characters for an HTTP header value is described
+in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6.
+
+This commit adds a check to redirect_to that ensures the
+provided URL does not contain any of the illegal characters.
+
+Downstream consumers of the resulting Location response header
+may remove the header if it does not comply with the RFC.
+This can result in a cross site scripting (XSS) vector by
+allowing for the redirection page to sit idle waiting
+for user interaction with the provided malicious link.
+
+[CVE-2023-28362]
+
+Origin: https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
+
+---
+ .../action_controller/metal/redirecting.rb    | 21 ++++++++++++++++++-
+ actionpack/test/controller/redirect_test.rb   | 17 +++++++++++++++
+ 2 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
+index 11d462855d064..fdd3f9dc44149 100644
+--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
+@@ -7,6 +7,10 @@ module Redirecting
+     include AbstractController::Logger
+     include ActionController::UrlFor
+ 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
+    class UnsafeRedirectError < StandardError; end
+
+     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+     #
+     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
+@@ -60,7 +64,11 @@ def redirect_to(options = {}, response_options = {})
+       raise AbstractController::DoubleRenderError if response_body
+ 
+       self.status        = _extract_redirect_to_status(options, response_options)
+-      self.location      = _compute_redirect_to_location(request, options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = redirect_to_location
+       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+     end
+ 
+@@ -129,5 +137,16 @@ def _url_host_allowed?(url)
+       rescue ArgumentError, URI::Error
+         false
+       end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters
+        # defined for an HTTP header value in
+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
+   end
+ end
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@ -4,13 +4,15 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	6.1.4.1
-Release: 	2
+Release: 	3
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
 Source0: 	https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1: 	%{gem_name}-%{version}-tests.txz
 Source2: 	rails-%{version}-tools.txz
+Patch0: 	CVE-2023-28362.patch
+Patch1: 	CVE-2023-28362-test.patch

 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@ -48,6 +50,11 @@ Documentation for %{name}.

 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
+%patch0 -p2
+pushd %{_builddir}
+%patch1 -p2
+popd
+

 %build
 gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec
@ -89,6 +96,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-3
+- Fix CVE-2023-28362
+
 * Thu Oct 20 2022 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-2
 - Fix compilation failed