From f8830d592dc42d359930614adf9dff15b6181b50 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 28 Feb 2024 11:31:51 +0800
Subject: [PATCH] Fix CVE-2024-26144

---
 CVE-2024-26144.patch       | 60 ++++++++++++++++++++++++++++++++++++++
 rubygem-activestorage.spec |  8 ++++-
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-26144.patch

diff --git a/CVE-2024-26144.patch b/CVE-2024-26144.patch
new file mode 100644
index 0000000..1e38e00
--- /dev/null
+++ b/CVE-2024-26144.patch
@@ -0,0 +1,60 @@
+From 723f54566023e91060a67b03353e7c03e7436433 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafael@rubyonrails.org>
+Date: Thu, 3 Aug 2023 16:00:34 -0400
+Subject: [PATCH] Merge pull request #48869 from
+ brunoprietog/disable-session-active-storage-proxy-controllers
+
+Disable session in ActiveStorage blobs and representations proxy controllers
+
+[CVE-2024-26144]
+---
+ activestorage/CHANGELOG.md                           |  8 ++++++++
+ .../active_storage/blobs/proxy_controller.rb         |  1 +
+ .../representations/proxy_controller.rb              |  1 +
+ .../concerns/active_storage/disable_session.rb       | 12 ++++++++++++
+ 4 files changed, 22 insertions(+)
+ create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb
+
+diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+index 6ec2772717c70..438623858474e 100644
+--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
++++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+@@ -9,6 +9,7 @@
+ class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
+   include ActiveStorage::SetBlob
+   include ActiveStorage::Streaming
++  include ActiveStorage::DisableSession
+ 
+   def show
+     if request.headers["Range"].present?
+diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+index 0f6c0f79978ab..7024f6534a501 100644
+--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
++++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+@@ -8,6 +8,7 @@
+ # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
+ class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
+   include ActiveStorage::Streaming
++  include ActiveStorage::DisableSession
+ 
+   def show
+     http_cache_forever public: true do
+diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
+new file mode 100644
+index 0000000000000..200ad7c9d23ac
+--- /dev/null
++++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
+@@ -0,0 +1,12 @@
++# frozen_string_literal: true
++
++# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
++module ActiveStorage::DisableSession
++  extend ActiveSupport::Concern
++
++  included do
++    before_action do
++      request.session_options[:skip] = true
++    end
++  end
++end
diff --git a/rubygem-activestorage.spec b/rubygem-activestorage.spec
index 57ec3a8..6a4845a 100644
--- a/rubygem-activestorage.spec
+++ b/rubygem-activestorage.spec
@@ -3,7 +3,7 @@
 %bcond_with ffmpeg
 Name:                rubygem-%{gem_name}
 Version:             7.0.7
-Release:             1
+Release:             2
 Summary:             Local and cloud file storage framework
 License:             MIT
 URL:                 http://rubyonrails.org
@@ -18,6 +18,8 @@ Source1:             %{gem_name}-%{version}-tests.txz
 # git clone http://github.com/rails/rails.git --no-checkout
 # cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
 Source2:             rails-%{version}-tools.txz
+# https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
+Patch0:              CVE-2024-26144.patch
 BuildRequires:       ruby(release) rubygems-devel ruby
 %if %{without bootstrap}
 BuildRequires:       rubygem(actionpack) = %{version} rubygem(activerecord) = %{version}
@@ -43,6 +45,7 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version} -b1 -b2
+%patch0 -p2
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -120,6 +123,9 @@ popd
 %doc %{gem_instdir}/README.md
 
 %changelog
+* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 7.0.7-2
+- Fix CVE-2024-26144
+
 * Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1
 - Upgrade to version 7.0.7
 
-- 
Gitee