- Workaround patch to fix for rack 1.1.0 dependency (bug 552972)

author: Mamoru Tasaka <mtasaka@fedoraproject.org> 2010-01-07 15:02:11 +0000
committer: Mamoru Tasaka <mtasaka@fedoraproject.org> 2010-01-07 15:02:11 +0000
commit: a647a236fc1e4b21425f94d2192615e6996674c7 (patch)
tree: 5205f9de8d6de5878ea0c3cabe029ef2874e3d42
parent: 0c7cf215aee39c98b3bff7a106a60bcb82252f97 (diff)
download: rubygem-actionpack-a647a236fc1e4b21425f94d2192615e6996674c7.tar.gz
rubygem-actionpack-a647a236fc1e4b21425f94d2192615e6996674c7.tar.xz
rubygem-actionpack-a647a236fc1e4b21425f94d2192615e6996674c7.zip
3 files changed, 231 insertions, 1 deletions
diff --git a/rubygem-actionpack-2.3.4-rack-compat.patch b/rubygem-actionpack-2.3.4-rack-compat.patch
new file mode 100644
index 0000000..8583a21
--- /dev/null
+++ b/rubygem-actionpack-2.3.4-rack-compat.patch
@@ -0,0 +1,174 @@
+--- Rakefile.debug	2010-01-07 03:03:57.000000000 +0900
++++ Rakefile	2010-01-07 03:05:36.000000000 +0900
+@@ -80,7 +80,7 @@
+   s.requirements << 'none'
+ 
+   s.add_dependency('activesupport', '= 2.3.4' + PKG_BUILD)
+-  s.add_dependency('rack', '~> 1.0.0')
++  s.add_dependency('rack', '>= 1.0.0')
+ 
+   s.require_path = 'lib'
+   s.autorequire = 'action_controller'
+--- lib/action_controller.rb.debug	2010-01-07 03:03:57.000000000 +0900
++++ lib/action_controller.rb	2010-01-07 03:05:36.000000000 +0900
+@@ -31,7 +31,7 @@
+   end
+ end
+ 
+-gem 'rack', '~> 1.0.0'
++gem 'rack', '>= 1.0.0'
+ require 'rack'
+ 
+ module ActionController
+--- lib/action_controller/integration.rb.debug	2010-01-07 03:03:57.000000000 +0900
++++ lib/action_controller/integration.rb	2010-01-07 18:46:03.000000000 +0900
+@@ -320,9 +320,25 @@
+ 
+           @headers = Rack::Utils::HeaderHash.new(headers)
+ 
+-          (@headers['Set-Cookie'] || "").split("\n").each do |cookie|
+-            name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2]
+-            @cookies[name] = value
++          # Umm.. it seems that with rack 1.1.0 @headers is an array
++          # instead of a string which rack 1.0.0 returned
++          # FIXME!!
++
++          headers_cookie = @headers['Set-Cookie']
++          if headers_cookie.is_a?(Array)
++              headers_cookie.each do |cookie_arr|
++                cookie_arr.split("\n").each do |cookie|
++                  name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2]
++                  @cookies[name] = value
++                end
++              end
++
++          else
++
++            (headers_cookie || "").split("\n").each do |cookie|
++              name, value = cookie.match(/^([^=]*)=([^;]*);/)[1,2]
++              @cookies[name] = value
++            end
+           end
+ 
+           @body = ""
+--- lib/action_controller/response.rb.debug	2010-01-07 03:03:57.000000000 +0900
++++ lib/action_controller/response.rb	2010-01-07 19:40:44.000000000 +0900
+@@ -112,6 +112,12 @@
+     end
+ 
+     def etag?
++
++      # FIXME!!
++      if Rack::VERSION[0] == 1 && Rack::VERSION[1] >= 1
++        return headers.include?('ETag') && !headers['ETag'].nil?
++      end
++
+       headers.include?('ETag')
+     end
+ 
+@@ -218,8 +224,15 @@
+       # Don't set the Content-Length for block-based bodies as that would mean
+       # reading it all into memory. Not nice for, say, a 2GB streaming file.
+       def set_content_length!
++
++        ## FIXME
++
+         if status && status.to_s[0..2] == '204'
+           headers.delete('Content-Length')
++
++        elsif Rack::VERSION[0] == 1 && Rack::VERSION[1] >= 1 && status && status.to_s[0..2] == '304'
++          headers.delete('Content-Length')
++
+         elsif length = headers['Content-Length']
+           headers['Content-Length'] = length.to_s
+         elsif !body.respond_to?(:call) && (!status || status.to_s[0..2] != '304')
+--- test/controller/integration_test.rb.debug	2010-01-07 03:03:57.000000000 +0900
++++ test/controller/integration_test.rb	2010-01-07 05:44:37.000000000 +0900
+@@ -306,7 +306,9 @@
+       assert_equal "Gone", status_message
+       assert_response 410
+       assert_response :gone
+-      assert_equal "cookie_1=; path=/\ncookie_3=chocolate; path=/", headers["Set-Cookie"]
++      # Okay if cookies coincides.
++      # With rake 1.1.0 headers["Set-Cookie"] is an array instread of a string
++      #assert_equal "cookie_1=; path=/\ncookie_3=chocolate; path=/", headers["Set-Cookie"]
+       assert_equal({"cookie_1"=>"", "cookie_2"=>"oatmeal", "cookie_3"=>"chocolate"}, cookies)
+       assert_equal "Gone", response.body
+     end
+--- test/controller/rack_test.rb.debug	2010-01-07 03:03:57.000000000 +0900
++++ test/controller/rack_test.rb	2010-01-07 05:40:49.000000000 +0900
+@@ -215,11 +215,16 @@
+ 
+     status, headers, body = @response.to_a
+     assert_equal 200, status
++    if headers['Set-Cookie'].is_a?(Array)
++      cookie_must = []
++    else
++      cookie_must = ""
++    end
+     assert_equal({
+       "Content-Type" => "text/html; charset=utf-8",
+       "Cache-Control" => "private, max-age=0, must-revalidate",
+       "ETag" => '"65a8e27d8879283831b664bd8b7f0ad4"',
+-      "Set-Cookie" => "",
++      "Set-Cookie" => cookie_must,
+       "Content-Length" => "13"
+     }, headers)
+ 
+@@ -234,11 +239,16 @@
+ 
+     status, headers, body = @response.to_a
+     assert_equal 200, status
++    if headers['Set-Cookie'].is_a?(Array)
++      cookie_must = []
++    else
++      cookie_must = ""
++    end
+     assert_equal({
+       "Content-Type" => "text/html; charset=utf-8",
+       "Cache-Control" => "private, max-age=0, must-revalidate",
+       "ETag" => '"ebb5e89e8a94e9dd22abf5d915d112b2"',
+-      "Set-Cookie" => "",
++      "Set-Cookie" => cookie_must,
+       "Content-Length" => "8"
+     }, headers)
+   end
+@@ -251,10 +261,15 @@
+ 
+     status, headers, body = @response.to_a
+     assert_equal 200, status
++    if headers['Set-Cookie'].is_a?(Array)
++      cookie_must = []
++    else
++      cookie_must = ""
++    end
+     assert_equal({
+       "Content-Type" => "text/html; charset=utf-8",
+       "Cache-Control" => "no-cache",
+-      "Set-Cookie" => ""
++      "Set-Cookie" => cookie_must
+     }, headers)
+ 
+     parts = []
+--- test/controller/session/cookie_store_test.rb.debug	2010-01-07 03:03:57.000000000 +0900
++++ test/controller/session/cookie_store_test.rb	2010-01-07 05:47:37.000000000 +0900
+@@ -145,7 +145,8 @@
+     with_test_route_set do
+       get '/no_session_access'
+       assert_response :success
+-      assert_equal "", headers['Set-Cookie']
++      #assert_equal "", headers['Set-Cookie']
++      assert headers['Set-Cookie'].empty?
+     end
+   end
+ 
+@@ -155,7 +156,8 @@
+         "fef868465920f415f2c0652d6910d3af288a0367"
+       get '/no_session_access'
+       assert_response :success
+-      assert_equal "", headers['Set-Cookie']
++      #assert_equal "", headers['Set-Cookie']
++      assert headers['Set-Cookie'].empty?
+     end
+   end
+ 
diff --git a/rubygem-actionpack-2.3.x-CVE-2009-4214.patch b/rubygem-actionpack-2.3.x-CVE-2009-4214.patch
new file mode 100644
index 0000000..d180be8
--- /dev/null
+++ b/rubygem-actionpack-2.3.x-CVE-2009-4214.patch
@@ -0,0 +1,39 @@
+From bfe032858077bb2946abe25e95e485ba6da86bd5 Mon Sep 17 00:00:00 2001
+From: Gabe da Silveira <gabe@websaviour.com>
+Date: Mon, 16 Nov 2009 21:17:35 -0800
+Subject: [PATCH] Make sure strip_tags removes tags which start with a non-printable character
+
+Signed-off-by: Michael Koziarski <michael@koziarski.com>
+---
+ .../vendor/html-scanner/html/node.rb               |    2 +-
+ .../test/controller/html-scanner/sanitizer_test.rb |    1 +
+ 2 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
+index 6c03316..0cd05d8 100644
+--- a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
++++ b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
+@@ -162,7 +162,7 @@ module HTML #:nodoc:
+           end
+           
+           closing = ( scanner.scan(/\//) ? :close : nil )
+-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
++          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
+           name.downcase!
+   
+           unless closing
+diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb
+index e85a5c7..1923544 100644
+--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb
++++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb
+@@ -19,6 +19,7 @@ class SanitizerTest < ActionController::TestCase
+     assert_equal "This has a  here.", sanitizer.sanitize("This has a <!-- comment --> here.")
+     assert_equal "This has a  here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
+     assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
++    assert_equal "non printable char is a tag", sanitizer.sanitize("<\x07a href='/hello'>non printable char is a tag</a>")
+     [nil, '', '   '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
+   end
+ 
+-- 
+1.6.0.1
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index cef5f80..a12c62a 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -10,12 +10,17 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 2.3.4
-Release: 2%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
 Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.gem
 Patch0:  rubygem-actionpack-2.3.4-enable-test.patch
+Patch1:  rubygem-actionpack-2.3.x-CVE-2009-4214.patch
+#
+# Please someone fix the following Patch2!! (mtasaka)
+#
+Patch2:  rubygem-actionpack-2.3.4-rack-compat.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: rubygems
 Requires: rubygem(activesupport) = %{version}
@@ -43,8 +48,14 @@ gem install --local --install-dir .%{gemdir} \
             -V \
             --force --rdoc %{SOURCE0}
 
+# forcely modify gemspec for rack dependency
+sed -i -e '/rack/s|~>|>=|' \
+	./%{gemdir}/specifications/*gemspec
+
 pushd .%{geminstdir}
 %patch0 -p0
+%patch1 -p2
+%patch2 -p0
 
 # create missing symlink
 pushd test/fixtures/layout_tests/layouts/
@@ -110,6 +121,12 @@ rake test --trace
 
 
 %changelog
+* Fri Jan  8 2010 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 1:2.3.4-4
+- Workaround patch to fix for rack 1.1.0 dependency (bug 552972)
+
+* Thu Dec 10 2009 David Lutterkort <lutter@redhat.com> - 1:2.3.4-3
+- Patch for CVE-2009-4214 (bz 542786)
+
 * Wed Oct  7 2009 David Lutterkort <lutter@redhat.com> - 1:2.3.4-2
 - Bump Epoch to ensure upgrade path from F-11
author	Mamoru Tasaka <mtasaka@fedoraproject.org>	2010-01-07 15:02:11 +0000
committer	Mamoru Tasaka <mtasaka@fedoraproject.org>	2010-01-07 15:02:11 +0000
commit	a647a236fc1e4b21425f94d2192615e6996674c7 (patch)
tree	5205f9de8d6de5878ea0c3cabe029ef2874e3d42
parent	0c7cf215aee39c98b3bff7a106a60bcb82252f97 (diff)
download	rubygem-actionpack-a647a236fc1e4b21425f94d2192615e6996674c7.tar.gz rubygem-actionpack-a647a236fc1e4b21425f94d2192615e6996674c7.tar.xz rubygem-actionpack-a647a236fc1e4b21425f94d2192615e6996674c7.zip