diff --git a/CVE-2024-26144.patch b/CVE-2024-26144.patch new file mode 100644 index 0000000000000000000000000000000000000000..904bfe0c4f345fc1cf2d20655ac482aea4bd1389 --- /dev/null +++ b/CVE-2024-26144.patch @@ -0,0 +1,60 @@ +From 78fe149509fac5b05e54187aaaef216fbb5fd0d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= + +Date: Thu, 3 Aug 2023 16:00:34 -0400 +Subject: [PATCH] Merge pull request #48869 from + brunoprietog/disable-session-active-storage-proxy-controllers + +Disable session in ActiveStorage blobs and representations proxy controllers + +[CVE-2024-26144] +--- + activestorage/CHANGELOG.md | 8 ++++++++ + .../active_storage/blobs/proxy_controller.rb | 1 + + .../representations/proxy_controller.rb | 1 + + .../concerns/active_storage/disable_session.rb | 12 ++++++++++++ + 4 files changed, 22 insertions(+) + create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb + +diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb +index 9b4993f240738..0a70d1d7dfc48 100644 +--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb ++++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb +@@ -4,6 +4,7 @@ + class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController + include ActiveStorage::SetBlob + include ActiveStorage::SetHeaders ++ include ActiveStorage::DisableSession + + def show + http_cache_forever public: true do +diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb +index e1ebba109fa8d..5ac55fc6e9bcd 100644 +--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb ++++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb +@@ -3,6 +3,7 @@ + # Proxy files through application. This avoids having a redirect and makes files easier to cache. + class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController + include ActiveStorage::SetHeaders ++ include ActiveStorage::DisableSession + + def show + http_cache_forever public: true do +diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb +new file mode 100644 +index 0000000000000..200ad7c9d23ac +--- /dev/null ++++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb +@@ -0,0 +1,12 @@ ++# frozen_string_literal: true ++ ++# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare. ++module ActiveStorage::DisableSession ++ extend ActiveSupport::Concern ++ ++ included do ++ before_action do ++ request.session_options[:skip] = true ++ end ++ end ++end diff --git a/rubygem-activestorage.spec b/rubygem-activestorage.spec index 30cbd93a8ce1799ee9eb6a2d44d630e6621441cb..46512cf877f29374a2a46e8662214ff5edf9b685 100644 --- a/rubygem-activestorage.spec +++ b/rubygem-activestorage.spec @@ -3,7 +3,7 @@ %bcond_with ffmpeg Name: rubygem-%{gem_name} Version: 6.1.4.1 -Release: 1 +Release: 2 Summary: Local and cloud file storage framework License: MIT URL: http://rubyonrails.org @@ -18,6 +18,8 @@ Source1: %{gem_name}-%{version}-tests.txz # git clone http://github.com/rails/rails.git --no-checkout # cd rails && git archive -v -o rails-6.1.4.1-tools.txz v6.1.4.1 tools/ Source2: rails-%{version}-tools.txz +# https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3 +Patch0: CVE-2024-26144.patch BuildRequires: ruby(release) rubygems-devel ruby %if %{without bootstrap} BuildRequires: rubygem(actionpack) = %{version} rubygem(activerecord) = %{version} @@ -43,6 +45,7 @@ Documentation for %{name}. %prep %setup -q -n %{gem_name}-%{version} -b1 -b2 +%patch0 -p2 %build gem build ../%{gem_name}-%{version}.gemspec @@ -111,6 +114,9 @@ popd %doc %{gem_instdir}/README.md %changelog +* Wed Feb 28 2024 yaoxin - 6.1.4.1-2 +- Fix CVE-2024-26144 + * Wed Mar 02 2022 jiangxinyu - 6.1.4.1-1 - update to 6.1.4.1