From 1e5fa86bd70c854e0c3eda8256844552167f5289 Mon Sep 17 00:00:00 2001 From: taca Date: Sun, 10 Jan 2010 15:33:28 +0000 Subject: Add patches for security problem of webrick. http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ Bump PKGREVISION. --- lang/ruby18-base/Makefile | 4 +-- lang/ruby18-base/distinfo | 6 +++- lang/ruby18-base/patches/patch-dw | 34 ++++++++++++++++++++++ lang/ruby18-base/patches/patch-dx | 21 ++++++++++++++ lang/ruby18-base/patches/patch-dy | 60 +++++++++++++++++++++++++++++++++++++++ lang/ruby18-base/patches/patch-dz | 22 ++++++++++++++ 6 files changed, 144 insertions(+), 3 deletions(-) create mode 100644 lang/ruby18-base/patches/patch-dw create mode 100644 lang/ruby18-base/patches/patch-dx create mode 100644 lang/ruby18-base/patches/patch-dy create mode 100644 lang/ruby18-base/patches/patch-dz (limited to 'lang/ruby18-base') diff --git a/lang/ruby18-base/Makefile b/lang/ruby18-base/Makefile index 15e42b32416..77c7da2d6dd 100644 --- a/lang/ruby18-base/Makefile +++ b/lang/ruby18-base/Makefile @@ -1,11 +1,11 @@ -# $NetBSD: Makefile,v 1.52 2009/08/11 14:26:58 taca Exp $ +# $NetBSD: Makefile,v 1.53 2010/01/10 15:33:28 taca Exp $ # DISTNAME= ${RUBY_DISTNAME} PKGNAME= ${RUBY_PKGPREFIX}-base-${RUBY_VERSION_SUFFIX} CATEGORIES= lang ruby MASTER_SITES= ${MASTER_SITE_RUBY} -PKGREVISION= 2 +PKGREVISION= 3 MAINTAINER= taca@NetBSD.org HOMEPAGE= ${RUBY_HOMEPAGE} diff --git a/lang/ruby18-base/distinfo b/lang/ruby18-base/distinfo index e874af623df..f053fdb04cb 100644 --- a/lang/ruby18-base/distinfo +++ b/lang/ruby18-base/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.40 2009/08/11 14:26:58 taca Exp $ +$NetBSD: distinfo,v 1.41 2010/01/10 15:33:28 taca Exp $ SHA1 (ruby-1.8.7-p174.tar.bz2) = 9e84b49ad545ad54b8e7dc3c227eaaefeb1041aa RMD160 (ruby-1.8.7-p174.tar.bz2) = f854d456003af1e31d50330c88c3cb152c434249 @@ -21,3 +21,7 @@ SHA1 (patch-ds) = 5344a63980b88d83e279cee50398312b90d5c2da SHA1 (patch-dt) = 3dd34a91cbffcb8e432d926c9490372f238e7f2e SHA1 (patch-du) = 55f021e2eb780743e35ecf70141f7738b04f4b62 SHA1 (patch-dv) = 25e779444c16717c7aaf800ebf68988878ed636f +SHA1 (patch-dw) = 4937ee0f2b79cfc93f378b415d1a81cbf997b8d4 +SHA1 (patch-dx) = d25267d700f997b951a65c016f45347a8b1a1517 +SHA1 (patch-dy) = 6c2f978b1803d2939377a4904cfc71e71a3b5fea +SHA1 (patch-dz) = 52af1fbf17b6e6df6112d08c291215d54a25af67 diff --git a/lang/ruby18-base/patches/patch-dw b/lang/ruby18-base/patches/patch-dw new file mode 100644 index 00000000000..1866e6bb5dc --- /dev/null +++ b/lang/ruby18-base/patches/patch-dw @@ -0,0 +1,34 @@ +$NetBSD: patch-dw,v 1.1 2010/01/10 15:33:28 taca Exp $ + +webrick security fix. + +http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ + +--- lib/webrick/accesslog.rb.orig 2007-02-12 23:01:19.000000000 +0000 ++++ lib/webrick/accesslog.rb +@@ -53,15 +53,23 @@ module WEBrick + when ?e, ?i, ?n, ?o + raise AccessLogError, + "parameter is required for \"#{spec}\"" unless param +- params[spec][param] || "-" ++ param = params[spec][param] ? escape(param) : "-" + when ?t + params[spec].strftime(param || CLF_TIME_FORMAT) + when ?% + "%" + else +- params[spec] ++ escape(params[spec].to_s) + end + } + end ++ ++ def escape(data) ++ if data.tainted? ++ data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint ++ else ++ data ++ end ++ end + end + end diff --git a/lang/ruby18-base/patches/patch-dx b/lang/ruby18-base/patches/patch-dx new file mode 100644 index 00000000000..4a1a217fa3a --- /dev/null +++ b/lang/ruby18-base/patches/patch-dx @@ -0,0 +1,21 @@ +$NetBSD: patch-dx,v 1.1 2010/01/10 15:33:28 taca Exp $ + +webrick security fix. + +http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ + +--- lib/webrick/httprequest.rb.orig 2009-02-14 19:17:52.000000000 +0000 ++++ lib/webrick/httprequest.rb +@@ -242,11 +242,7 @@ module WEBrick + @raw_header << line + end + end +- begin +- @header = HTTPUtils::parse_header(@raw_header) +- rescue => ex +- raise HTTPStatus::BadRequest, ex.message +- end ++ @header = HTTPUtils::parse_header(@raw_header.join) + end + + def parse_uri(str, scheme="http") diff --git a/lang/ruby18-base/patches/patch-dy b/lang/ruby18-base/patches/patch-dy new file mode 100644 index 00000000000..279c053ccb1 --- /dev/null +++ b/lang/ruby18-base/patches/patch-dy @@ -0,0 +1,60 @@ +$NetBSD: patch-dy,v 1.1 2010/01/10 15:33:28 taca Exp $ + +webrick security fix. + +http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ + +--- lib/webrick/httpstatus.rb.orig 2007-02-12 23:01:19.000000000 +0000 ++++ lib/webrick/httpstatus.rb +@@ -12,7 +12,17 @@ module WEBrick + + module HTTPStatus + +- class Status < StandardError; end ++ class Status < StandardError ++ def initialize(message=self.class, *rest) ++ super(AccessLog.escape(message), *rest) ++ end ++ class << self ++ attr_reader :code, :reason_phrase ++ end ++ def code() self::class::code end ++ def reason_phrase() self::class::reason_phrase end ++ alias to_i code ++ end + class Info < Status; end + class Success < Status; end + class Redirect < Status; end +@@ -68,6 +78,7 @@ module WEBrick + CodeToError = {} + + StatusMessage.each{|code, message| ++ message.freeze + var_name = message.gsub(/[ \-]/,'_').upcase + err_name = message.gsub(/[ \-]/,'') + +@@ -79,18 +90,12 @@ module WEBrick + when 500...600; parent = ServerError + end + +- eval %- +- RC_#{var_name} = #{code} +- class #{err_name} < #{parent} +- def self.code() RC_#{var_name} end +- def self.reason_phrase() StatusMessage[code] end +- def code() self::class::code end +- def reason_phrase() self::class::reason_phrase end +- alias to_i code +- end +- - +- +- CodeToError[code] = const_get(err_name) ++ const_set("RC_#{var_name}", code) ++ err_class = Class.new(parent) ++ err_class.instance_variable_set(:@code, code) ++ err_class.instance_variable_set(:@reason_phrase, message) ++ const_set(err_name, err_class) ++ CodeToError[code] = err_class + } + + def reason_phrase(code) diff --git a/lang/ruby18-base/patches/patch-dz b/lang/ruby18-base/patches/patch-dz new file mode 100644 index 00000000000..2433b248b9c --- /dev/null +++ b/lang/ruby18-base/patches/patch-dz @@ -0,0 +1,22 @@ +$NetBSD: patch-dz,v 1.1 2010/01/10 15:33:28 taca Exp $ + +webrick security fix. + +http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ + +--- lib/webrick/httputils.rb.orig 2008-08-04 05:21:05.000000000 +0000 ++++ lib/webrick/httputils.rb +@@ -128,11 +128,11 @@ module WEBrick + when /^\s+(.*?)\s*\z/om + value = $1 + unless field +- raise "bad header '#{line.inspect}'." ++ raise HTTPStatus::BadRequest, "bad header '#{line}'." + end + header[field][-1] << " " << value + else +- raise "bad header '#{line.inspect}'." ++ raise HTTPStatus::BadRequest, "bad header '#{line}'." + end + } + header.each{|key, values| -- cgit v1.2.3