packages/rubygem-activestorage
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rubygem-activestorage/CVE-2024-26144.patch
starlet-dx e0bb4def7f Fix CVE-2024-26144 
(cherry picked from commit ee3d81b2bf0beeaa4d78f819ca7b2cef07d3b22c)
2024-02-28 14:06:11 +08:00

61 lines
2.7 KiB
Diff
Raw Blame History

From 78fe149509fac5b05e54187aaaef216fbb5fd0d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
<rafael@rubyonrails.org>
Date: Thu, 3 Aug 2023 16:00:34 -0400
Subject: [PATCH] Merge pull request #48869 from
brunoprietog/disable-session-active-storage-proxy-controllers
Disable session in ActiveStorage blobs and representations proxy controllers
[CVE-2024-26144]
---
activestorage/CHANGELOG.md | 8 ++++++++
.../active_storage/blobs/proxy_controller.rb | 1 +
.../representations/proxy_controller.rb | 1 +
.../concerns/active_storage/disable_session.rb | 12 ++++++++++++
4 files changed, 22 insertions(+)
create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb
diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
index 9b4993f240738..0a70d1d7dfc48 100644
--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
@@ -4,6 +4,7 @@
class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
include ActiveStorage::SetBlob
include ActiveStorage::SetHeaders
+ include ActiveStorage::DisableSession
def show
http_cache_forever public: true do
diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
index e1ebba109fa8d..5ac55fc6e9bcd 100644
--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
@@ -3,6 +3,7 @@
# Proxy files through application. This avoids having a redirect and makes files easier to cache.
class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
include ActiveStorage::SetHeaders
+ include ActiveStorage::DisableSession
def show
http_cache_forever public: true do
diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
new file mode 100644
index 0000000000000..200ad7c9d23ac
--- /dev/null
+++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
+module ActiveStorage::DisableSession
+ extend ActiveSupport::Concern
+
+ included do
+ before_action do
+ request.session_options[:skip] = true
+ end
+ end
+end
Reference in New Issue View Git Blame Copy Permalink