From 85f385c3b23d67e25c88092527b9150e9ea8d5f3 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 18 Nov 2024 10:56:52 +0800
Subject: [PATCH] Fix CVE-2022-45442

(cherry picked from commit fc40141e4630fd3ac9cebd14c56ca63883702554)
---
 backport-CVE-2022-45442-test.patch | 40 +++++++++++++++++++++++
 backport-CVE-2022-45442.patch      | 51 ++++++++++++++++++++++++++++++
 rubygem-sinatra.spec               | 12 ++++++-
 3 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-45442-test.patch
 create mode 100644 backport-CVE-2022-45442.patch

diff --git a/backport-CVE-2022-45442-test.patch b/backport-CVE-2022-45442-test.patch
new file mode 100644
index 0000000..51009da
--- /dev/null
+++ b/backport-CVE-2022-45442-test.patch
@@ -0,0 +1,40 @@
+From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
+From: namusyaka <namusyaka@gmail.com>
+Date: Wed, 23 Nov 2022 22:24:02 +0900
+Subject: [PATCH] escape filename in the Content-Disposition header
+
+According the multipart form data spec in WHATWG living standard.
+Ref: https://html.spec.whatwg.org/#multipart-form-data
+
+Origin:
+https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
+---
+ test/helpers_test.rb | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/test/helpers_test.rb b/test/helpers_test.rb
+index 463a21d..7201aab 100644
+--- a/test/helpers_test.rb
++++ b/test/helpers_test.rb
+@@ -781,6 +781,18 @@ class HelpersTest < Minitest::Test
+       assert_equal '<sinatra></sinatra>', body
+     end
+ 
++    it 'escapes filename in the Content-Disposition header according to the multipart form data spec in WHATWG living standard' do
++      mock_app do
++        get('/attachment') do
++          attachment "test.xml\";\r\next=.txt"
++          response.write("<sinatra></sinatra>")
++        end
++      end
++
++      get '/attachment'
++      assert_equal 'attachment; filename="test.xml%22;%0D%0Aext=.txt"', response['Content-Disposition']
++      assert_equal '<sinatra></sinatra>', body
++    end
+   end
+ 
+   describe 'send_file' do
+-- 
+2.47.0
+
diff --git a/backport-CVE-2022-45442.patch b/backport-CVE-2022-45442.patch
new file mode 100644
index 0000000..0386977
--- /dev/null
+++ b/backport-CVE-2022-45442.patch
@@ -0,0 +1,51 @@
+From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
+From: namusyaka <namusyaka@gmail.com>
+Date: Wed, 23 Nov 2022 22:24:02 +0900
+Subject: [PATCH] escape filename in the Content-Disposition header
+
+According the multipart form data spec in WHATWG living standard.
+Ref: https://html.spec.whatwg.org/#multipart-form-data
+
+Origin:
+https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
+---
+ lib/sinatra/base.rb | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
+index f5d7729..b20a1f7 100644
+--- a/lib/sinatra/base.rb
++++ b/lib/sinatra/base.rb
+@@ -357,16 +357,23 @@ module Sinatra
+       response['Content-Type'] = mime_type
+     end
+ 
++    # https://html.spec.whatwg.org/#multipart-form-data
++    MULTIPART_FORM_DATA_REPLACEMENT_TABLE = {
++      '"'  => '%22',
++      "\r" => '%0D',
++      "\n" => '%0A'
++    }.freeze
++
+     # Set the Content-Disposition to "attachment" with the specified filename,
+     # instructing the user agents to prompt to save.
+     def attachment(filename = nil, disposition = :attachment)
+       response['Content-Disposition'] = disposition.to_s.dup
+-      if filename
+-        params = '; filename="%s"' % File.basename(filename)
+-        response['Content-Disposition'] << params
+-        ext = File.extname(filename)
+-        content_type(ext) unless response['Content-Type'] or ext.empty?
+-      end
++      return unless filename
++
++      params = format('; filename="%s"', File.basename(filename).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE))
++      response['Content-Disposition'] << params
++      ext = File.extname(filename)
++      content_type(ext) unless response['Content-Type'] || ext.empty?
+     end
+ 
+     # Use the contents of the file at +path+ as the response body.
+-- 
+2.47.0
+
diff --git a/rubygem-sinatra.spec b/rubygem-sinatra.spec
index 3c03278..7c0348f 100644
--- a/rubygem-sinatra.spec
+++ b/rubygem-sinatra.spec
@@ -3,7 +3,7 @@
 Summary:             Ruby-based web application framework
 Name:                rubygem-%{gem_name}
 Version:             2.0.8.1
-Release:             3
+Release:             4
 License:             MIT
 URL:                 http://www.sinatrarb.com/
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
@@ -16,6 +16,11 @@ Patch0:              rubygem-sinatra-2.0.8.1-Fix-failing-tests.patch
 Patch1:              Internal-Sinatra-errors-now-extend-Sinatra-Error-test.patch
 Patch2:              Internal-Sinatra-errors-now-extend-Sinatra-Error.patch
 Patch3:              Fix-broken-spec.patch
+
+# Security fix
+Patch3000:           backport-CVE-2022-45442.patch
+Patch3001:           backport-CVE-2022-45442-test.patch
+
 BuildRequires:       rubygems-devel ruby(release) ruby >= 2.2.0
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(rack) >= 2.0 rubygem(rack-protection) = %{version} rubygem(tilt)
@@ -42,9 +47,11 @@ pushd %{_builddir}
 %patch0 -p1
 %patch1 -p1
 %patch3 -p1
+%patch3001 -p1
 popd
 
 %patch2 -p1
+%patch3000 -p1
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -89,6 +96,9 @@ popd
 %{gem_instdir}/examples
 
 %changelog
+* Mon Nov 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.0.8.1-4
+- Fix CVE-2022-45442
+
 * Sat May 11 2024 Zhengxin Guo <guozhengxin@kylinos.cn> - 1:2.0.8.1-3
 - fix the correctly ignores syntactically invalid range requests test
 
-- 
Gitee