From a055ac99d67e36f897e412015a5aad05b45b08ed Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Mon, 28 Jun 2021 11:29:51 +0800
Subject: [PATCH] Fix CVE-2021-22904

(cherry picked from commit 0bf2113689664a2ca012d8746263187e2587b50c)
---
 CVE-2021-22904.patch    | 29 +++++++++++++++++++++++++++++
 rubygem-actionpack.spec |  8 +++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-22904.patch

diff --git a/CVE-2021-22904.patch b/CVE-2021-22904.patch
new file mode 100644
index 0000000..99b5e3f
--- /dev/null
+++ b/CVE-2021-22904.patch
@@ -0,0 +1,29 @@
+From f97d14a056c9b6ec6bf46d24e0c04b4893e78d41 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 4 May 2021 15:49:21 -0700
+Subject: [PATCH] Prevent slow regex when parsing host authorization header
+
+The old regex could take too long when parsing an authorization header,
+and this could potentially cause a DoS vulnerability
+
+[CVE-2021-22904]
+---
+ .../lib/action_controller/metal/http_authentication.rb          | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+index 01676f3..d2e6674 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+@@ -406,7 +406,7 @@ module ActionController
+     module Token
+       TOKEN_KEY = "token="
+       TOKEN_REGEX = /^(Token|Bearer)\s+/
+-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
++      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
+       extend self
+ 
+       module ControllerMethods
+-- 
+2.23.0
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index e51156e..e7666dd 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -4,13 +4,15 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             2
+Release:             3
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
 Patch0:              CVE-2021-22885.patch
+Patch1:              CVE-2021-22904.patch
+
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(activemodel) = %{version} rubygem(activerecord) = %{version}
@@ -35,6 +37,7 @@ Documentation for %{name}.
 %setup -q -c -T
 %gem_install -n %{SOURCE0}
 %patch0 -p1
+%patch1 -p1
 
 %build
 
@@ -65,6 +68,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Jun 28 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-3
+- Fix CVE-2021-22904
+
 * Fri Jun 11 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-2
 - Fix CVE-2021-22885
 
-- 
Gitee