From d2c778f1bae83f190a8a8aba5578d827ce070fc2 Mon Sep 17 00:00:00 2001 From: peng2285 Date: Mon, 5 Dec 2022 17:44:27 +0800 Subject: [PATCH] fix CVE-2022-45442 modified: rubygem-sinatra.spec --- CVE-2022-45442.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++ rubygem-sinatra.spec | 8 +++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-45442.patch diff --git a/CVE-2022-45442.patch b/CVE-2022-45442.patch new file mode 100644 index 0000000..75bfb34 --- /dev/null +++ b/CVE-2022-45442.patch @@ -0,0 +1,61 @@ +From ea8fc9495a350f7551b39e3025bfcd06f49f363b Mon Sep 17 00:00:00 2001 +From: namusyaka +Date: Wed, 23 Nov 2022 22:24:02 +0900 +Subject: [PATCH] escape filename in the Content-Disposition header + +According the multipart form data spec in WHATWG living standard. +Ref: https://html.spec.whatwg.org/#multipart-form-data +--- + lib/sinatra/base.rb | 9 ++++++++- + test/helpers_test.rb | 12 ++++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb +index d7e2d65ad..cbb3f2fd7 100644 +--- a/lib/sinatra/base.rb ++++ b/lib/sinatra/base.rb +@@ -396,13 +396,20 @@ def content_type(type = nil, params = {}) + response['Content-Type'] = mime_type + end + ++ # https://html.spec.whatwg.org/#multipart-form-data ++ MULTIPART_FORM_DATA_REPLACEMENT_TABLE = { ++ '"' => '%22', ++ "\r" => '%0D', ++ "\n" => '%0A' ++ }.freeze ++ + # Set the Content-Disposition to "attachment" with the specified filename, + # instructing the user agents to prompt to save. + def attachment(filename = nil, disposition = :attachment) + response['Content-Disposition'] = disposition.to_s.dup + return unless filename + +- params = format('; filename="%s"', File.basename(filename)) ++ params = format('; filename="%s"', File.basename(filename).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE)) + response['Content-Disposition'] << params + ext = File.extname(filename) + content_type(ext) unless response['Content-Type'] || ext.empty? +diff --git a/test/helpers_test.rb b/test/helpers_test.rb +index 67dffce1f..71b42a8fd 100644 +--- a/test/helpers_test.rb ++++ b/test/helpers_test.rb +@@ -781,6 +781,18 @@ def attachment_app(filename=nil) + assert_equal '', body + end + ++ it 'escapes filename in the Content-Disposition header according to the multipart form data spec in WHATWG living standard' do ++ mock_app do ++ get('/attachment') do ++ attachment "test.xml\";\r\next=.txt" ++ response.write("") ++ end ++ end ++ ++ get '/attachment' ++ assert_equal 'attachment; filename="test.xml%22;%0D%0Aext=.txt"', response['Content-Disposition'] ++ assert_equal '', body ++ end + end + + describe 'send_file' do diff --git a/rubygem-sinatra.spec b/rubygem-sinatra.spec index b17e2ac..494cbe9 100644 --- a/rubygem-sinatra.spec +++ b/rubygem-sinatra.spec @@ -3,7 +3,7 @@ Summary: Ruby-based web application framework Name: rubygem-%{gem_name} Version: 2.0.8.1 -Release: 1 +Release: 2 License: MIT URL: http://www.sinatrarb.com/ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem @@ -13,6 +13,8 @@ Source1: %{gem_name}-%{version}-test.tar.gz # Fix test failure due to Rack 2.2.2 incompatibility. # https://github.com/sinatra/sinatra/pull/1605 Patch0: rubygem-sinatra-2.0.8.1-Fix-failing-tests.patch +Patch1: CVE-2022-45442.patch + BuildRequires: rubygems-devel ruby(release) ruby >= 2.2.0 %if ! 0%{?bootstrap} BuildRequires: rubygem(rack) >= 2.0 rubygem(rack-protection) = %{version} rubygem(tilt) @@ -37,6 +39,7 @@ This package contains documentation for %{name}. pushd %{_builddir} %patch0 -p1 +%patch1 -p1 popd %build @@ -82,6 +85,9 @@ popd %{gem_instdir}/examples %changelog +* Mon Dec 5 2022 jiangpeng - 2.0.8.1-2 +- Fix CVE-2022-45442 + * Thu Feb 24 2022 liyanan - 2.0.8.1-1 - update to 2.0.8.1 -- Gitee