packages/rubygem-activestorage
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-26144

Browse Source 
(cherry picked from commit ee3d81b2bf0beeaa4d78f819ca7b2cef07d3b22c)
This commit is contained in:
starlet-dx 2024-02-28 11:39:12 +08:00 committed by openeuler-sync-bot
parent 44d5085723
commit e0bb4def7f
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
CVE-2024-26144.patch Normal file
View File

@ -0,0 +1,60 @@
From 78fe149509fac5b05e54187aaaef216fbb5fd0d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
<rafael@rubyonrails.org>
Date: Thu, 3 Aug 2023 16:00:34 -0400
Subject: [PATCH] Merge pull request #48869 from
brunoprietog/disable-session-active-storage-proxy-controllers
Disable session in ActiveStorage blobs and representations proxy controllers
[CVE-2024-26144]
---
activestorage/CHANGELOG.md | 8 ++++++++
.../active_storage/blobs/proxy_controller.rb | 1 +
.../representations/proxy_controller.rb | 1 +
.../concerns/active_storage/disable_session.rb | 12 ++++++++++++
4 files changed, 22 insertions(+)
create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb
diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
index 9b4993f240738..0a70d1d7dfc48 100644
--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
@@ -4,6 +4,7 @@
class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
include ActiveStorage::SetHeaders
+ include ActiveStorage::DisableSession
def show
http_cache_forever public: true do
diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
index e1ebba109fa8d..5ac55fc6e9bcd 100644
--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
@@ -3,6 +3,7 @@
# Proxy files through application. This avoids having a redirect and makes files easier to cache.
class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
include ActiveStorage::SetHeaders
+ include ActiveStorage::DisableSession
def show
http_cache_forever public: true do
diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
new file mode 100644
index 0000000000000..200ad7c9d23ac
--- /dev/null
+++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
+module ActiveStorage::DisableSession
+ extend ActiveSupport::Concern
+
+ included do
+ before_action do
+ request.session_options[:skip] = true
+ end
+ end
+end

8
rubygem-activestorage.spec
View File

@ -3,7 +3,7 @@
%bcond_with ffmpeg
Name: rubygem-%{gem_name}
Version: 6.1.4.1
Release: 1
Release: 2
Summary: Local and cloud file storage framework
License: MIT
URL: http://rubyonrails.org
@ -18,6 +18,8 @@ Source1: %{gem_name}-%{version}-tests.txz
# git clone http://github.com/rails/rails.git --no-checkout
# cd rails && git archive -v -o rails-6.1.4.1-tools.txz v6.1.4.1 tools/
Source2: rails-%{version}-tools.txz
# https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
Patch0: CVE-2024-26144.patch
BuildRequires: ruby(release) rubygems-devel ruby
%if %{without bootstrap}
BuildRequires: rubygem(actionpack) = %{version} rubygem(activerecord) = %{version}
@ -43,6 +45,7 @@ Documentation for %{name}.
%prep
%setup -q -n %{gem_name}-%{version} -b1 -b2
%patch0 -p2
%build
gem build ../%{gem_name}-%{version}.gemspec
@ -111,6 +114,9 @@ popd
%doc %{gem_instdir}/README.md
%changelog
* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 6.1.4.1-2
- Fix CVE-2024-26144
* Wed Mar 02 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 6.1.4.1-1
- update to 6.1.4.1