Fix CVE-2023-22792 and CVE-2023-22795

(cherry picked from commit 67a89aa21ad5d94b119a294f28816492a8234e61)

CVE-2023-22792-test.patch

@@ -0,0 +1,58 @@
+diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
+index 23716c0aeb7b6..6f4b78c7208ea 100644
+--- a/actionpack/test/dispatch/cookies_test.rb
++++ b/actionpack/test/dispatch/cookies_test.rb
+@@ -247,6 +247,11 @@ def set_cookie_with_domain_and_tld
+       head :ok
+     end
+ 
++    def set_cookie_with_domain_and_longer_tld
++      cookies[:user_name] = { value: "rizwanreza", domain: :all, tld_length: 4 }
++      head :ok 
++    end
++
+     def delete_cookie_with_domain_and_tld
+       cookies.delete(:user_name, domain: :all, tld_length: 2)
+       head :ok
+@@ -1044,6 +1049,13 @@ def test_cookie_with_all_domain_option_using_australian_style_tld
+     assert_cookie_header "user_name=rizwanreza; domain=.nextangle.com.au; path=/; SameSite=Lax"
+   end
+ 
++  def test_cookie_with_all_domain_option_using_australian_style_tld_and_two_subdomains
++    @request.host = "x.nextangle.com.au"
++    get :set_cookie_with_domain
++    assert_response :success
++    assert_cookie_header "user_name=rizwanreza; domain=.nextangle.com.au; path=/; SameSite=Lax"
++  end
++
+   def test_cookie_with_all_domain_option_using_uk_style_tld
+     @request.host = "nextangle.co.uk"
+     get :set_cookie_with_domain
+@@ -1051,6 +1063,13 @@ def test_cookie_with_all_domain_option_using_uk_style_tld
+     assert_cookie_header "user_name=rizwanreza; domain=.nextangle.co.uk; path=/; SameSite=Lax"
+   end
+ 
++  def test_cookie_with_all_domain_option_using_uk_style_tld_and_two_subdomains
++    @request.host = "x.nextangle.co.uk"
++    get :set_cookie_with_domain
++    assert_response :success
++    assert_cookie_header "user_name=rizwanreza; domain=.nextangle.co.uk; path=/; SameSite=Lax"
++  end
++
+   def test_cookie_with_all_domain_option_using_host_with_port
+     @request.host = "nextangle.local:3000"
+     get :set_cookie_with_domain
+@@ -1113,6 +1132,13 @@ def test_cookie_with_all_domain_option_using_host_with_port_and_tld_length
+     assert_cookie_header "user_name=rizwanreza; domain=.nextangle.local; path=/; SameSite=Lax"
+   end
+ 
++  def test_cookie_with_all_domain_option_using_longer_tld_length
++    @request.host = "x.y.z.t.com"
++    get :set_cookie_with_domain_and_longer_tld
++    assert_response :success
++    assert_cookie_header "user_name=rizwanreza; domain=.y.z.t.com; path=/; SameSite=Lax"
++  end
++
+   def test_deleting_cookie_with_all_domain_option_and_tld_length
+     request.cookies[:user_name] = "Joe"
+     get :delete_cookie_with_domain_and_tld

CVE-2023-22792.patch

@@ -0,0 +1,78 @@
+From 7a7f37f146aa977350cf914eba20a95ce371485f Mon Sep 17 00:00:00 2001
+From: sabulikia <sabakiaei@gmail.com>
+Date: Thu, 7 Jul 2022 16:10:20 -0400
+Subject: [PATCH] Use string#split instead of regex for domain parts
+
+[CVE-2023-22792]
+---
+ .../lib/action_dispatch/middleware/cookies.rb | 48 +++++++++++--------
+ actionpack/test/dispatch/cookies_test.rb      | 26 ++++++++++
+ 2 files changed, 54 insertions(+), 20 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
+index ac5844723303a..335122adb5c73 100644
+--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
++++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
+@@ -283,20 +283,6 @@ def signed_cookie_digest
+     class CookieJar #:nodoc:
+       include Enumerable, ChainedCookieJars
+ 
+-      # This regular expression is used to split the levels of a domain.
+-      # The top level domain can be any string without a period or
+-      # **.**, ***.** style TLDs like co.uk or com.au
+-      #
+-      # www.example.co.uk gives:
+-      # $& => example.co.uk
+-      #
+-      # example.com gives:
+-      # $& => example.com
+-      #
+-      # lots.of.subdomains.example.local gives:
+-      # $& => example.local
+-      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
+-
+       def self.build(req, cookies)
+         jar = new(req)
+         jar.update(cookies)
+@@ -449,13 +435,35 @@ def handle_options(options)
+           options[:same_site] ||= cookies_same_site_protection.call(request)
+ 
+           if options[:domain] == :all || options[:domain] == "all"
+-            # If there is a provided tld length then we use it otherwise default domain regexp.
+-            domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
++            cookie_domain = ""
++            dot_splitted_host = request.host.split('.', -1)
++
++            # Case where request.host is not an IP address or it's an invalid domain
++            # (ip confirms to the domain structure we expect so we explicitly check for ip)
++            if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
++              options[:domain] = nil
++              return
++            end
++
++            # If there is a provided tld length then we use it otherwise default domain.
++            if options[:tld_length].present? 
++              # Case where the tld_length provided is valid
++              if dot_splitted_host.length >= options[:tld_length]
++                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
++              end
++            # Case where tld_length is not provided
++            else
++              # Regular TLDs
++              if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
++                cookie_domain = dot_splitted_host.last(2).join('.')
++              # **.**, ***.** style TLDs like co.uk and com.au
++              else
++                cookie_domain = dot_splitted_host.last(3).join('.')
++              end
++            end
+ 
+-            # If host is not ip and matches domain regexp.
+-            # (ip confirms to domain regexp so we explicitly check for ip)
+-            options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
+-              ".#{$&}"
++            options[:domain] = if cookie_domain.present?
++              ".#{cookie_domain}"
+             end
+           elsif options[:domain].is_a? Array
+             # If host matches one of the supplied domains.

CVE-2023-22795.patch

@@ -0,0 +1,23 @@
+From 484fc9185db6c6a6a49ab458b11f9366da02bab2 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Fri, 13 Jan 2023 15:54:40 -0800
+Subject: [PATCH] Avoid regex backtracking on If-None-Match header
+
+[CVE-2023-22795]
+---
+ actionpack/lib/action_dispatch/http/cache.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/cache.rb b/actionpack/lib/action_dispatch/http/cache.rb
+index 9c46c5c8a4d81..d9d6f325342ea 100644
+--- a/actionpack/lib/action_dispatch/http/cache.rb
++++ b/actionpack/lib/action_dispatch/http/cache.rb
+@@ -18,7 +18,7 @@ def if_none_match
+         end
+ 
+         def if_none_match_etags
+-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
++          if_none_match ? if_none_match.split(",").each(&:strip!) : []
+         end
+ 
+         def not_modified?(modified_at)

rubygem-actionpack.spec

@@ -4,7 +4,7 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	6.1.4.1
-Release: 	3
+Release: 	4
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@@ -13,6 +13,11 @@ Source1: 	%{gem_name}-%{version}-tests.txz
 Source2: 	rails-%{version}-tools.txz
 Patch0: 	CVE-2023-28362.patch
 Patch1: 	CVE-2023-28362-test.patch
+# https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f
+Patch2:         CVE-2023-22792.patch
+Patch3:         CVE-2023-22792-test.patch
+# https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2
+Patch4:         CVE-2023-22795.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@@ -51,8 +56,11 @@ Documentation for %{name}.
 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
 %patch0 -p2
+%patch2 -p2
+%patch4 -p2
 pushd %{_builddir}
 %patch1 -p2
+%patch3 -p2
 popd
 
 
@@ -96,6 +104,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:6.1.4.1-4
+- Fix CVE-2023-22792 and CVE-2023-22795
+
 * Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-3
 - Fix CVE-2023-28362