From 201c049519472dc40592fa32fc0dbdb7c812a0ba Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Wed, 26 Jun 2024 14:51:51 +0800
Subject: [PATCH] Fix CVE-2023-28120

---
 CVE-2023-28120.patch       | 24 ++++++++++++++++++++++++
 rubygem-activesupport.spec |  8 +++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-28120.patch

diff --git a/CVE-2023-28120.patch b/CVE-2023-28120.patch
new file mode 100644
index 0000000..b10749a
--- /dev/null
+++ b/CVE-2023-28120.patch
@@ -0,0 +1,24 @@
+From 3cf23c3f891e2e81c977ea4ab83b62bc2a444b70 Mon Sep 17 00:00:00 2001
+From: Akira Matsuda <ronnie@dio.jp>
+Date: Thu, 5 Jan 2023 05:25:37 +0900
+Subject: [PATCH] Implement SafeBuffer#bytesplice
+
+---
+ .../core_ext/string/output_safety.rb          |  4 +++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+index 8a06ccdd8e385..a627540a353db 100644
+--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
++++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+@@ -216,6 +216,10 @@ def concat(value)
+     end
+     alias << concat
+ 
++    def bytesplice(*args, value)
++      super(*args, implicit_html_escape_interpolated_argument(value))
++    end
++
+     def prepend(value)
+       super(html_escape_interpolated_argument(value))
+     end
diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec
index fe1853a..8a1b6da 100644
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@@ -3,7 +3,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               2
 Version:             5.2.4.4
-Release:             4
+Release:             5
 Summary:             A support libraries and Ruby core extensions extracted from the Rails framework
 License:             MIT
 URL:                 http://rubyonrails.org
@@ -15,6 +15,8 @@ Patch1:              CVE-2023-38037.patch
 # https://github.com/rails/rails/commit/676ad96fa5d9d0213babc32c9bad8190597a00d1
 # https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545
 Patch3000:           CVE-2022-23633.patch
+# https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
+Patch3001:           CVE-2023-28120.patch
 
 Requires:            rubygem(bigdecimal) rubygem(json)
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2 rubygem(bigdecimal) rubygem(builder)
@@ -39,6 +41,7 @@ Documentation for %{name}.
 %patch0 -p2
 %patch1 -p1
 %patch3000 -p1
+%patch3001 -p2
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -82,6 +85,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Wed Jun 26 2024 wangkai <13474090681@163.com> - 2:5.2.4.4-5
+- Fix CVE-2023-28120
+
 * Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 2:5.2.4.4-4
 - Type:CVES
 - ID:CVE-2022-23633
-- 
Gitee