Projects
openEuler:22.03:LTS:LoongArch
rubygem-actionpack
_service:tar_scm_kernel_repo:CVE-2023-28362.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:CVE-2023-28362.patch of Package rubygem-actionpack
From 1c3f93d1e90a3475f9ae2377ead25ccf11f71441 Mon Sep 17 00:00:00 2001 From: Zack Deveau <zack.ref@gmail.com> Date: Fri, 12 May 2023 13:04:22 -0400 Subject: [PATCH] Added check for illegal HTTP header value in redirect_to The set of legal characters for an HTTP header value is described in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6. This commit adds a check to redirect_to that ensures the provided URL does not contain any of the illegal characters. Downstream consumers of the resulting Location response header may remove the header if it does not comply with the RFC. This can result in a cross site scripting (XSS) vector by allowing for the redirection page to sit idle waiting for user interaction with the provided malicious link. [CVE-2023-28362] Origin: https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441 --- .../action_controller/metal/redirecting.rb | 21 ++++++++++++++++++- actionpack/test/controller/redirect_test.rb | 17 +++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb index 11d462855d064..fdd3f9dc44149 100644 --- a/actionpack/lib/action_controller/metal/redirecting.rb +++ b/actionpack/lib/action_controller/metal/redirecting.rb @@ -7,6 +7,10 @@ module Redirecting include AbstractController::Logger include ActionController::UrlFor + ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze + + class UnsafeRedirectError < StandardError; end + # Redirects the browser to the target specified in +options+. This parameter can be any one of: # # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+. @@ -60,7 +64,11 @@ def redirect_to(options = {}, response_options = {}) raise AbstractController::DoubleRenderError if response_body self.status = _extract_redirect_to_status(options, response_options) - self.location = _compute_redirect_to_location(request, options) + + redirect_to_location = _compute_redirect_to_location(request, options) + _ensure_url_is_http_header_safe(redirect_to_location) + + self.location = redirect_to_location self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>" end @@ -129,5 +137,16 @@ def _url_host_allowed?(url) rescue ArgumentError, URI::Error false end + + def _ensure_url_is_http_header_safe(url) + # Attempt to comply with the set of valid token characters + # defined for an HTTP header value in + # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6 + if url.match(ILLEGAL_HEADER_VALUE_REGEX) + msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \ + "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6" + raise UnsafeRedirectError, msg + end + end end end
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.