Hello community, here is the log from the commit of package rubygem-actionpack-3_2 for openSUSE:Factory checked in at 2014-06-01 19:40:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-actionpack-3_2 (Old) and /work/SRC/openSUSE:Factory/.rubygem-actionpack-3_2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rubygem-actionpack-3_2" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-actionpack-3_2/rubygem-actionpack-3_2.changes 2014-04-15 07:37:12.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-actionpack-3_2.new/rubygem-actionpack-3_2.changes 2014-06-01 19:40:58.000000000 +0200 @@ -1,0 +2,8 @@ +Mon May 26 14:12:15 UTC 2014 - jmassaguerpla@suse.com + +- fix CVE-2014-0130: rubygem-actionpack: directory traversal issue + (bnc#876714) + + CVE-2014-0130.patch: contains the fix + +------------------------------------------------------------------- New: ---- CVE-2014-0130.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-actionpack-3_2.spec ++++++ --- /var/tmp/diff_new_pack.M9qw6q/_old 2014-06-01 19:40:59.000000000 +0200 +++ /var/tmp/diff_new_pack.M9qw6q/_new 2014-06-01 19:40:59.000000000 +0200 @@ -28,6 +28,7 @@ BuildRequires: ruby-devel >= 1.8.7 Url: http://www.rubyonrails.org Source: http://rubygems.org/gems/%{mod_full_name}.gem +Source1: CVE-2014-0130.patch Summary: Web-flow and rendering framework putting the VC in MVC (part of License: MIT Group: Development/Languages/Ruby @@ -46,14 +47,20 @@ Usually in RDoc and RI formats. %prep -#gem_unpack -#if you need patches, apply them here and replace the # with a % sign in the surrounding lines -#gem_build +gem unpack --verbose %{S:0} +pushd %{mod_full_name} + chmod -R go-w . + gem spec --ruby %{S:0} > %{mod_full_name}.gemspec + patch -p2 < %{S:1} + gem build %{mod_full_name}.gemspec +popd %build %install -%gem_install -f +pushd %{mod_full_name} +%gem_install -f %{mod_full_name}.gem +popd %files %defattr(-,root,root,-) ++++++ CVE-2014-0130.patch ++++++ diff --git a/actionpack/lib/abstract_controller/base.rb b/actionpack/lib/abstract_controller/base.rb index fd6a46f..2541125 100644 --- a/actionpack/lib/abstract_controller/base.rb +++ b/actionpack/lib/abstract_controller/base.rb @@ -112,7 +112,7 @@ module AbstractController def process(action, *args) @_action_name = action_name = action.to_s - unless action_name = method_for_action(action_name) + unless action_name = _find_action_name(action_name) raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}" end @@ -138,7 +138,7 @@ module AbstractController # available action consider actions that are also available # through other means, for example, implicit render ones. def available_action?(action_name) - method_for_action(action_name).present? + _find_action_name(action_name).present? end private @@ -182,6 +182,23 @@ module AbstractController end # Takes an action name and returns the name of the method that will + # handle the action. + # + # It checks if the action name is valid and returns false otherwise. + # + # See method_for_action for more information. + # + # ==== Parameters + # * <tt>action_name</tt> - An action name to find a method name for + # + # ==== Returns + # * <tt>string</tt> - The name of the method that handles the action + # * false - No valid method name could be found. Raise ActionNotFound. + def _find_action_name(action_name) + _valid_action_name?(action_name) && method_for_action(action_name) + end + + # Takes an action name and returns the name of the method that will # handle the action. In normal cases, this method returns the same # name as it receives. By default, if #method_for_action receives # a name that is not an action, it will look for an #action_missing @@ -203,11 +220,16 @@ module AbstractController # # ==== Returns # * <tt>string</tt> - The name of the method that handles the action - # * <tt>nil</tt> - No method name could be found. Raise ActionNotFound. + # * <tt>nil</tt> - No method name could be found. def method_for_action(action_name) if action_method?(action_name) then action_name elsif respond_to?(:action_missing, true) then "_handle_action_missing" end end + + # Checks if the action name is valid and returns false otherwise. + def _valid_action_name?(action_name) + action_name.to_s !~ Regexp.new(File::SEPARATOR) + end end end -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org