diff --git a/Fix-failing-tests.patch b/Fix-broken-spec.patch similarity index 43% rename from Fix-failing-tests.patch rename to Fix-broken-spec.patch index e844a384300b9fd6bfc4732e4df2a8df75c4db63..df60938a90625cfb522c5568e3d52fdd3e52eee2 100644 --- a/Fix-failing-tests.patch +++ b/Fix-broken-spec.patch @@ -1,25 +1,29 @@ -From 750aa3b0de06dad41539bdb402123b5416a3475d Mon Sep 17 00:00:00 2001 +From 5baa1c8ddcadfdfe07b74c2a72fc9a29121851fd Mon Sep 17 00:00:00 2001 From: Jordan Owens -Date: Tue, 10 Mar 2020 10:24:05 -0400 -Subject: [PATCH] Fix failing tests +Date: Sun, 22 Jan 2023 19:28:40 -0500 +Subject: [PATCH] Fix broken spec -Rack added support for Multi-part ranges and apparently changed the -format of cookie expires timestamp format to match specs. +HTTP ranges with non decimal characters is treated as range 0..0 as of Rack 2.2.6.2. + +Origin: +https://github.com/sinatra/sinatra/commit/5baa1c8ddcadfdfe07b74c2a72fc9a29121851fd --- - test/static_test.rb | 3 +-- - 1 files changed, 1 insertions(+), 2 deletions(-) + test/static_test.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/static_test.rb b/test/static_test.rb -index e8408b14e..1c6cb35e9 100644 +index d0cbbb0..5e3c34d 100644 --- a/test/static_test.rb +++ b/test/static_test.rb -@@ -152,8 +152,7 @@ def assert_valid_range(http_range, range, path, file) - end +@@ -153,7 +153,7 @@ class StaticTest < Minitest::Test it 'correctly ignores syntactically invalid range requests' do -- # ...and also ignores multi-range requests, which aren't supported yet + # ...and also ignores multi-range requests, which aren't supported yet - ["bytes=45-40", "bytes=IV-LXVI", "octets=10-20", "bytes=-", "bytes=1-2,3-4"].each do |http_range| -+ ["bytes=45-40", "bytes=IV-LXVI", "octets=10-20", "bytes=", "bytes=3-1,4-5"].each do |http_range| ++ ["bytes=45-40", "octets=10-20", "bytes=", "bytes=3-1,4-5"].each do |http_range| request = Rack::MockRequest.new(@app) response = request.get("/#{File.basename(__FILE__)}", 'HTTP_RANGE' => http_range) +-- +2.27.0 + diff --git a/backport-CVE-2022-45442-test.patch b/backport-CVE-2022-45442-test.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee80d24178c9a864404e838ed7de0ea9624b930f --- /dev/null +++ b/backport-CVE-2022-45442-test.patch @@ -0,0 +1,40 @@ +From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001 +From: namusyaka +Date: Wed, 23 Nov 2022 22:24:02 +0900 +Subject: [PATCH] escape filename in the Content-Disposition header + +According the multipart form data spec in WHATWG living standard. +Ref: https://html.spec.whatwg.org/#multipart-form-data + +Origin: +https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a +--- + test/helpers_test.rb | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/test/helpers_test.rb b/test/helpers_test.rb +index 52d5fbc..217c9fc 100644 +--- a/test/helpers_test.rb ++++ b/test/helpers_test.rb +@@ -781,6 +781,18 @@ class HelpersTest < Minitest::Test + assert_equal '', body + end + ++ it 'escapes filename in the Content-Disposition header according to the multipart form data spec in WHATWG living standard' do ++ mock_app do ++ get('/attachment') do ++ attachment "test.xml\";\r\next=.txt" ++ response.write("") ++ end ++ end ++ ++ get '/attachment' ++ assert_equal 'attachment; filename="test.xml%22;%0D%0Aext=.txt"', response['Content-Disposition'] ++ assert_equal '', body ++ end + end + + describe 'send_file' do +-- +2.47.0 + diff --git a/backport-CVE-2022-45442.patch b/backport-CVE-2022-45442.patch new file mode 100644 index 0000000000000000000000000000000000000000..1d0730e710ff9798e9e4674d1226a39b9e9c8655 --- /dev/null +++ b/backport-CVE-2022-45442.patch @@ -0,0 +1,51 @@ +From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001 +From: namusyaka +Date: Wed, 23 Nov 2022 22:24:02 +0900 +Subject: [PATCH] escape filename in the Content-Disposition header + +According the multipart form data spec in WHATWG living standard. +Ref: https://html.spec.whatwg.org/#multipart-form-data + +Origin: +https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a +--- + lib/sinatra/base.rb | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb +index 727078d..ccd5c85 100644 +--- a/lib/sinatra/base.rb ++++ b/lib/sinatra/base.rb +@@ -357,16 +357,23 @@ module Sinatra + response['Content-Type'] = mime_type + end + ++ # https://html.spec.whatwg.org/#multipart-form-data ++ MULTIPART_FORM_DATA_REPLACEMENT_TABLE = { ++ '"' => '%22', ++ "\r" => '%0D', ++ "\n" => '%0A' ++ }.freeze ++ + # Set the Content-Disposition to "attachment" with the specified filename, + # instructing the user agents to prompt to save. + def attachment(filename = nil, disposition = :attachment) + response['Content-Disposition'] = disposition.to_s +- if filename +- params = '; filename="%s"' % File.basename(filename) +- response['Content-Disposition'] << params +- ext = File.extname(filename) +- content_type(ext) unless response['Content-Type'] or ext.empty? +- end ++ return unless filename ++ ++ params = format('; filename="%s"', File.basename(filename).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE)) ++ response['Content-Disposition'] << params ++ ext = File.extname(filename) ++ content_type(ext) unless response['Content-Type'] || ext.empty? + end + + # Use the contents of the file at +path+ as the response body. +-- +2.47.0 + diff --git a/rubygem-sinatra.spec b/rubygem-sinatra.spec index 1ae1241f113b2d92ba4c396cb2c0b671f63352c4..92ae1404170f438712f4fcb17173faf1c1e8b47c 100644 --- a/rubygem-sinatra.spec +++ b/rubygem-sinatra.spec @@ -3,12 +3,17 @@ Summary: Ruby-based web application framework Name: rubygem-%{gem_name} Version: 2.0.3 -Release: 2 +Release: 3 License: MIT URL: http://www.sinatrarb.com/ Source0: https://rubygems.org/gems/sinatra-%{version}.gem Source1: https://github.com/sinatra/sinatra/archive/v%{version}.tar.gz -Patch0: Fix-failing-tests.patch +Patch0: Fix-broken-spec.patch + +# Security fix +Patch3000: backport-CVE-2022-45442.patch +Patch3001: backport-CVE-2022-45442-test.patch + BuildRequires: rubygems-devel %if ! 0%{?bootstrap} BuildRequires: rubygem(rack) >= 2.0 rubygem(rack-protection) = %{version} rubygem(tilt) @@ -29,12 +34,13 @@ Obsoletes: %{name}-doc < %{version}-%{release} This package contains documentation for %{name}. %prep -gem unpack %{SOURCE0} -%setup -q -D -T -n %{gem_name}-%{version} -gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec +%setup -q -n %{gem_name}-%{version} -b 1 +%patch0 -p1 +%patch3000 -p1 +%patch3001 -p1 %build -gem build %{gem_name}.gemspec +gem build ../%{gem_name}-%{version}.gemspec %gem_install %install @@ -46,9 +52,7 @@ sed -i -e 's|^#!/usr/bin/env ruby|#!/usr/bin/ruby|' \ %check %if ! 0%{?bootstrap} pushd .%{gem_instdir} -tar xzvf %{SOURCE1} -cd %{gem_name}-%{version} -cat %{PATCH0} | patch -p1 +ln -s %{_builddir}/%{gem_name}-%{version}/test test for FILE in $(grep -rl '^require.*bundler.*' test/); do sed -i "/^require 'bundler.*'/ s/^/#/" ${FILE} done @@ -80,6 +84,9 @@ popd %{gem_instdir}/examples %changelog +* Wed Nov 20 2024 yaoxin - 1:2.0.3-3 +- Fix CVE-2022-45442 + * Fri Dec 03 2021 xu_ping - 2.0.3-2 - Fix tests failed