diff --git a/SOURCES/rubygem-actionpack-4.2.7.1-CVE-2016-6317-unsafe-query-tests.patch b/SOURCES/rubygem-actionpack-4.2.7.1-CVE-2016-6317-unsafe-query-tests.patch new file mode 100644 index 0000000..2755e35 --- /dev/null +++ b/SOURCES/rubygem-actionpack-4.2.7.1-CVE-2016-6317-unsafe-query-tests.patch @@ -0,0 +1,55 @@ +diff --git a/actionpack/test/dispatch/request/json_params_parsing_test.rb b/actionpack/test/dispatch/request/json_params_parsing_test.rb +index c609075..e8dec17 100644 +--- a/actionpack/test/dispatch/request/json_params_parsing_test.rb ++++ b/actionpack/test/dispatch/request/json_params_parsing_test.rb +@@ -84,7 +84,50 @@ def teardown + end + end + ++ test "prevent null query" do ++ # Make sure we have data to find ++ klass = Class.new(ActiveRecord::Base) do ++ def self.name; 'Foo'; end ++ establish_connection adapter: "sqlite3", database: ":memory:" ++ connection.create_table "foos" do |t| ++ t.string :title ++ t.timestamps null: false ++ end ++ end ++ klass.create ++ assert klass.first ++ ++ app = ActionDispatch::ParamsParser.new ->(env) { ++ request = ActionDispatch::Request.new env ++ params = ActionController::Parameters.new request.parameters ++ if params[:t] ++ klass.find_by_title(params[:t]) ++ else ++ nil ++ end ++ } ++ ++ assert_nil app.call(make_env({ 't' => nil })) ++ assert_nil app.call(make_env({ 't' => [nil] })) ++ ++ [[[nil]], [[[nil]]]].each do |data| ++ assert_deprecated do ++ assert_nil app.call(make_env({ 't' => data })) ++ end ++ end ++ end ++ + private ++ def make_env json ++ data = JSON.dump json ++ content_length = data.length ++ { ++ 'CONTENT_LENGTH' => content_length, ++ 'CONTENT_TYPE' => 'application/json', ++ 'rack.input' => StringIO.new(data) ++ } ++ end ++ + def assert_parses(expected, actual, headers = {}) + with_test_routing do + post "/parse", actual, headers diff --git a/SPECS/rubygem-actionpack.spec b/SPECS/rubygem-actionpack.spec index 8bd7662..c1445c1 100644 --- a/SPECS/rubygem-actionpack.spec +++ b/SPECS/rubygem-actionpack.spec @@ -15,7 +15,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: %{?scl_prefix}rubygem-%{gem_name} Epoch: 1 Version: 4.2.6 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -29,6 +29,10 @@ Source0: http://rubygems.org/downloads/actionpack-%{version}.gem # tar czvf actionpack-4.2.6-tests.tgz test/ Source2: actionpack-%{version}-tests.tgz +# Fix CVE-2016-6317 unsafe query generation in Active Record +# https://bugzilla.redhat.com/show_bug.cgi?id=1365017 +Patch0: rubygem-actionpack-4.2.7.1-CVE-2016-6317-unsafe-query-tests.patch + # Let's keep Requires and BuildRequires sorted alphabeticaly Requires: %{?scl_prefix_ruby}ruby(release) Requires: %{?scl_prefix_ruby}ruby(rubygems) @@ -122,6 +126,8 @@ rm -rf %{buildroot} %check pushd .%{gem_instdir} +patch -p2 < %{PATCH0} + # load_path is not available, remove its require. sed -i '1,2d' test/abstract_unit.rb @@ -129,9 +135,10 @@ sed -i '1,2d' test/abstract_unit.rb sed -i "1i\require 'rack/test'" lib/action_controller/metal/strong_parameters.rb # One test is failing: DebugExceptionsTest#test_debug_exceptions_app_shows_user_code_that_caused_the_error_in_source_view +sed -i "/^ test 'debug exceptions app shows user code that caused the error in source view' do$/,/^ end$/ s/^/#/" \ + test/dispatch/debug_exceptions_test.rb %{?scl:scl enable %{scl} %{scl_nodejs} - << \EOF} -ruby -w -I.:lib:test -rtimeout -e 'Dir.glob("test/{abstract,controller,dispatch,template}/**/*_test.rb").each {|t| require t}' \ - | grep '2576 runs, 14116 assertions, 1 failures, 0 errors, 0 skips' +ruby -w -I.:lib:test -rtimeout -e 'Dir.glob("test/{abstract,controller,dispatch,template}/**/*_test.rb").each {|t| require t}' %{?scl:EOF} popd %endif @@ -150,6 +157,10 @@ popd %{gem_instdir}/test/ %changelog +* Thu Aug 18 2016 Jun Aruga - 1:4.2.6-3 +- Fix for CVE-2016-6317 + Resolves: rhbz#1365017 + * Wed Apr 06 2016 Pavel Valena - 1:4.2.6-2 - Enable tests