commit rubygem-actionpack-3_2 for openSUSE:Factory

h_root Sun, 01 Jun 2014 10:41:28 -0700

Hello community,

here is the log from the commit of package rubygem-actionpack-3_2 for 
openSUSE:Factory checked in at 2014-06-01 19:40:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-3_2 (Old)
 and      /work/SRC/openSUSE:Factory/.rubygem-actionpack-3_2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "rubygem-actionpack-3_2"

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/rubygem-actionpack-3_2/rubygem-actionpack-3_2.changes
    2014-04-15 07:37:12.000000000 +0200
+++ 
/work/SRC/openSUSE:Factory/.rubygem-actionpack-3_2.new/rubygem-actionpack-3_2.changes
       2014-06-01 19:40:58.000000000 +0200
@@ -1,0 +2,8 @@
+Mon May 26 14:12:15 UTC 2014 - jmassaguer...@suse.com
+
+- fix CVE-2014-0130: rubygem-actionpack: directory traversal issue
+  (bnc#876714)
+
+  CVE-2014-0130.patch: contains the fix
+
+-------------------------------------------------------------------

New:
----
  CVE-2014-0130.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rubygem-actionpack-3_2.spec ++++++
--- /var/tmp/diff_new_pack.M9qw6q/_old  2014-06-01 19:40:59.000000000 +0200
+++ /var/tmp/diff_new_pack.M9qw6q/_new  2014-06-01 19:40:59.000000000 +0200
@@ -28,6 +28,7 @@
 BuildRequires:  ruby-devel >= 1.8.7
 Url:            http://www.rubyonrails.org
 Source:         http://rubygems.org/gems/%{mod_full_name}.gem
+Source1:        CVE-2014-0130.patch
 Summary:        Web-flow and rendering framework putting the VC in MVC (part of
 License:        MIT
 Group:          Development/Languages/Ruby
@@ -46,14 +47,20 @@
 Usually in RDoc and RI formats.
 
 %prep
-#gem_unpack
-#if you need patches, apply them here and replace the # with a % sign in the 
surrounding lines
-#gem_build
+gem unpack --verbose %{S:0}
+pushd %{mod_full_name}
+  chmod -R go-w .
+  gem spec --ruby %{S:0} > %{mod_full_name}.gemspec
+    patch -p2 < %{S:1}
+  gem build %{mod_full_name}.gemspec
+popd
 
 %build
 
 %install
-%gem_install -f
+pushd %{mod_full_name}
+%gem_install -f %{mod_full_name}.gem
+popd
 
 %files
 %defattr(-,root,root,-)

++++++ CVE-2014-0130.patch ++++++
diff --git a/actionpack/lib/abstract_controller/base.rb 
b/actionpack/lib/abstract_controller/base.rb
index fd6a46f..2541125 100644
--- a/actionpack/lib/abstract_controller/base.rb
+++ b/actionpack/lib/abstract_controller/base.rb
@@ -112,7 +112,7 @@ module AbstractController
     def process(action, *args)
       @_action_name = action_name = action.to_s
 
-      unless action_name = method_for_action(action_name)
+      unless action_name = _find_action_name(action_name)
         raise ActionNotFound, "The action '#{action}' could not be found for 
#{self.class.name}"
       end
 
@@ -138,7 +138,7 @@ module AbstractController
     # available action consider actions that are also available
     # through other means, for example, implicit render ones.
     def available_action?(action_name)
-      method_for_action(action_name).present?
+      _find_action_name(action_name).present?
     end
 
     private
@@ -182,6 +182,23 @@ module AbstractController
       end
 
       # Takes an action name and returns the name of the method that will
+      # handle the action.
+      #
+      # It checks if the action name is valid and returns false otherwise.
+      #
+      # See method_for_action for more information.
+      #
+      # ==== Parameters
+      # * <tt>action_name</tt> - An action name to find a method name for
+      #
+      # ==== Returns
+      # * <tt>string</tt> - The name of the method that handles the action
+      # * false           - No valid method name could be found. Raise 
ActionNotFound.
+      def _find_action_name(action_name)
+        _valid_action_name?(action_name) && method_for_action(action_name)
+      end
+
+      # Takes an action name and returns the name of the method that will
       # handle the action. In normal cases, this method returns the same
       # name as it receives. By default, if #method_for_action receives
       # a name that is not an action, it will look for an #action_missing
@@ -203,11 +220,16 @@ module AbstractController
       #
       # ==== Returns
       # * <tt>string</tt> - The name of the method that handles the action
-      # * <tt>nil</tt>    - No method name could be found. Raise 
ActionNotFound.
+      # * <tt>nil</tt>    - No method name could be found.
       def method_for_action(action_name)
         if action_method?(action_name) then action_name
         elsif respond_to?(:action_missing, true) then "_handle_action_missing"
         end
       end
+
+      # Checks if the action name is valid and returns false otherwise.
+      def _valid_action_name?(action_name)
+        action_name.to_s !~ Regexp.new(File::SEPARATOR)
+      end
   end
 end



-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

commit rubygem-actionpack-3_2 for openSUSE:Factory

Reply via email to