From 2c61bb6e3ad16bb0e01dd5c7fea03300199f555c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 13 2019 08:53:54 +0000
Subject: import rh-ror42-rubygem-actionpack-4.2.6-5.el7


---

diff --git a/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch b/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch
new file mode 100644
index 0000000..d86d8e5
--- /dev/null
+++ b/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch
@@ -0,0 +1,73 @@
+diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb
+index 66d2fd7716..07ad0085fc 100644
+--- a/actionpack/test/controller/mime/respond_to_test.rb
++++ b/actionpack/test/controller/mime/respond_to_test.rb
+@@ -87,9 +87,9 @@ class RespondToController < ActionController::Base
+ 
+   def custom_type_handling
+     respond_to do |type|
+-      type.html { render :text => "HTML"    }
+-      type.custom("application/crazy-xml")  { render :text => "Crazy XML"  }
+-      type.all  { render :text => "Nothing" }
++      type.html { render text: "HTML"    }
++      type.custom("application/fancy-xml")  { render text: "Fancy XML"  }
++      type.all  { render text: "Nothing" }
+     end
+   end
+ 
+@@ -269,12 +269,14 @@ class RespondToControllerTest < ActionController::TestCase
+     @request.host = "www.example.com"
+     Mime::Type.register_alias("text/html", :iphone)
+     Mime::Type.register("text/x-mobile", :mobile)
++    Mime::Type.register("application/fancy-xml", :fancy_xml)
+   end
+ 
+   def teardown
+     super
+     Mime::Type.unregister(:iphone)
+     Mime::Type.unregister(:mobile)
++    Mime::Type.unregister(:fancy_xml)
+   end
+ 
+   def test_html
+@@ -430,10 +432,10 @@ class RespondToControllerTest < ActionController::TestCase
+   end
+ 
+   def test_custom_types
+-    @request.accept = "application/crazy-xml"
++    @request.accept = "application/fancy-xml"
+     get :custom_type_handling
+-    assert_equal "application/crazy-xml", @response.content_type
+-    assert_equal 'Crazy XML', @response.body
++    assert_equal "application/fancy-xml", @response.content_type
++    assert_equal "Fancy XML", @response.body
+ 
+     @request.accept = "text/html"
+     get :custom_type_handling
+diff --git a/actionpack/test/controller/new_base/content_negotiation_test.rb b/actionpack/test/controller/new_base/content_negotiation_test.rb
+index 5fd5946619..57bf16ac9c 100644
+--- a/actionpack/test/controller/new_base/content_negotiation_test.rb
++++ b/actionpack/test/controller/new_base/content_negotiation_test.rb
+@@ -19,9 +19,19 @@ module ContentNegotiation
+       assert_body "Hello world */*!"
+     end
+ 
+-    test "Not all mimes are converted to symbol" do
+-      get "/content_negotiation/basic/all", {}, "HTTP_ACCEPT" => "text/plain, mime/another"
+-      assert_body '[:text, "mime/another"]'
++    test "A js or */* Accept header will return HTML" do
++      get "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" }
++      assert_body "Hello world text/html!"
++    end
++
++    test "A js or */* Accept header on xhr will return HTML" do
++      xhr :get, "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" }
++      assert_body "Hello world text/javascript!"
++    end
++
++    test "Unregistered mimes are ignored" do
++      get "/content_negotiation/basic/all", {}, { "HTTP_ACCEPT" => "text/plain, mime/another" }
++      assert_body '[:text]'
+     end
+   end
+ end
diff --git a/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file.patch b/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file.patch
new file mode 100644
index 0000000..e132ce2
--- /dev/null
+++ b/SOURCES/rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file.patch
@@ -0,0 +1,24 @@
+diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+index 53a98c5d0a..00fd3d03df 100644
+--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
++++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+@@ -61,7 +61,7 @@ module ActionDispatch
+                               false
+                             end
+ 
+-          if params_readable
++          v = if params_readable
+             Array(Mime[parameters[:format]])
+           elsif use_accept_header && valid_accept_header
+             accepts
+@@ -70,6 +70,10 @@ module ActionDispatch
+           else
+             [Mime::HTML]
+           end
++
++          v.select do |format|
++            format.symbol || format.ref == "*/*"
++          end
+         end
+       end
+ 
diff --git a/SPECS/rubygem-actionpack.spec b/SPECS/rubygem-actionpack.spec
index c1445c1..b5dbaf3 100644
--- a/SPECS/rubygem-actionpack.spec
+++ b/SPECS/rubygem-actionpack.spec
@@ -15,7 +15,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: %{?scl_prefix}rubygem-%{gem_name}
 Epoch: 1
 Version: 4.2.6
-Release: 3%{?dist}
+Release: 5%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -32,6 +32,13 @@ Source2: actionpack-%{version}-tests.tgz
 # Fix CVE-2016-6317 unsafe query generation in Active Record
 # https://bugzilla.redhat.com/show_bug.cgi?id=1365017
 Patch0: rubygem-actionpack-4.2.7.1-CVE-2016-6317-unsafe-query-tests.patch
+# CVE-2019-5418: Render file directory traversal in Action View
+# https://bugzilla.redhat.com/show_bug.cgi?id=1689159
+# CVE-2019-5419: Denial of service vulnerability in Action View
+# https://bugzilla.redhat.com/show_bug.cgi?id=1689160
+# https://github.com/rails/rails/commit/58ed245e80a8710fbe31e91417bfd19f9f934cc4
+Patch1: rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file.patch
+Patch2: rubygem-actionpack-4.2.11.1-CVE-2019-5418-CVE-2019-5419-render-file-tests.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 Requires: %{?scl_prefix_ruby}ruby(release)
@@ -70,6 +77,9 @@ BuildRequires: %{?scl_prefix}rubygem(uglifier)
 BuildArch: noarch
 Provides: %{?scl_prefix}rubygem(%{gem_name}) = %{version}
 
+# Explicitly require runtime subpackage, as long as older scl-utils do not generate it
+Requires: %{?scl_prefix}runtime
+
 BuildRequires: %{?scl_prefix_nodejs}nodejs
 
 %description
@@ -91,6 +101,10 @@ Documentation for %{pkg_name}
 %gem_install -n %{SOURCE0}
 %{?scl:EOF}
 
+pushd .%{gem_instdir}
+%patch1 -p2 -F 0
+popd
+
 # move the tests into place
 tar xzvf %{SOURCE2} -C .%{gem_instdir}
 
@@ -127,6 +141,7 @@ rm -rf %{buildroot}
 pushd .%{gem_instdir}
 
 patch -p2 < %{PATCH0}
+patch -p2 < %{PATCH2}
 
 # load_path is not available, remove its require.
 sed -i '1,2d' test/abstract_unit.rb
@@ -135,8 +150,10 @@ sed -i '1,2d' test/abstract_unit.rb
 sed -i "1i\require 'rack/test'" lib/action_controller/metal/strong_parameters.rb
 
 # One test is failing: DebugExceptionsTest#test_debug_exceptions_app_shows_user_code_that_caused_the_error_in_source_view
+%if 0%{?rhel} >= 7
 sed -i "/^  test 'debug exceptions app shows user code that caused the error in source view' do$/,/^  end$/ s/^/#/" \
   test/dispatch/debug_exceptions_test.rb
+%endif
 %{?scl:scl enable %{scl} %{scl_nodejs} - << \EOF}
 ruby -w -I.:lib:test -rtimeout -e 'Dir.glob("test/{abstract,controller,dispatch,template}/**/*_test.rb").each {|t| require t}'
 %{?scl:EOF}
@@ -157,6 +174,12 @@ popd
 %{gem_instdir}/test/
 
 %changelog
+* Fri Mar 29 2019 Jun Aruga <jaruga@redhat.com> - 1:4.2.6-5
+- Fix a render file directory traversal in Action View
+  Resolves: CVE-2019-5418
+- Fix a denial of service vulnerability in Action View
+  Resolves: CVE-2019-5419
+
 * Thu Aug 18 2016 Jun Aruga <jaruga@redhat.com> - 1:4.2.6-3
 - Fix for CVE-2016-6317
   Resolves: rhbz#1365017