From d3dcbb5472db7fa9cac59562c6961e5fbdbffdc2 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Tue, 8 Oct 2024 16:33:08 +0800 Subject: [PATCH] fix CVE-2024-47220 (cherry picked from commit 39817c21d36696bc945f8e42fdde789a38c3dbdb) --- backport-CVE-2024-47220.patch | 62 +++++++++++++++++++++++++++++++++++ ruby.spec | 6 +++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-47220.patch diff --git a/backport-CVE-2024-47220.patch b/backport-CVE-2024-47220.patch new file mode 100644 index 0000000..22c1281 --- /dev/null +++ b/backport-CVE-2024-47220.patch @@ -0,0 +1,62 @@ +From f5faca9222541591e1a7c3c97552ebb0c92733c7 Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Wed, 18 Sep 2024 14:11:49 -0700 +Subject: [PATCH] Prevent request smuggling + +If a request has both a content-length and transfer-encoding +headers, return a 400 response. This is allowed by RFC 7230 +section 3.3.3.3. + +Fixes #145 +--- + tool/lib/webrick/httprequest.rb | 4 ++++ + tool/test/webrick/test_httprequest.rb | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/tool/lib/webrick/httprequest.rb b/tool/lib/webrick/httprequest.rb +index 5cf5844..820acb2 100644 +--- a/tool/lib/webrick/httprequest.rb ++++ b/tool/lib/webrick/httprequest.rb +@@ -474,6 +474,10 @@ module WEBrick + def read_body(socket, block) + return unless socket + if tc = self['transfer-encoding'] ++ if self['content-length'] ++ raise HTTPStatus::BadRequest, "request with both transfer-encoding and content-length, possible request smuggling" ++ end ++ + case tc + when /\Achunked\z/io then read_chunked(socket, block) + else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." +diff --git a/tool/test/webrick/test_httprequest.rb b/tool/test/webrick/test_httprequest.rb +index 855ff9d..cce9b91 100644 +--- a/tool/test/webrick/test_httprequest.rb ++++ b/tool/test/webrick/test_httprequest.rb +@@ -81,6 +81,24 @@ GET / + } + end + ++ def test_content_length_and_transfer_encoding_headers_smuggling ++ msg = <<~HTTP.gsub("\n", "\r\n") ++ POST /user HTTP/1.1 ++ Content-Length: 28 ++ Transfer-Encoding: chunked ++ ++ 0 ++ ++ GET /admin HTTP/1.1 ++ ++ HTTP ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ req.parse(StringIO.new(msg)) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.body ++ } ++ end ++ + def test_parse_headers + msg = <<-_end_of_message_ + GET /path HTTP/1.1 +-- +2.27.0 + diff --git a/ruby.spec b/ruby.spec index d4bc6dd..1484200 100644 --- a/ruby.spec +++ b/ruby.spec @@ -33,7 +33,7 @@ Name: ruby Version: %{ruby_version} -Release: 145 +Release: 146 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ @@ -101,6 +101,7 @@ Patch6024: upgrade-lib-rexml-to-3.3.1.patch Patch6025: backport-CVE-2024-41946.patch Patch6026: backport-CVE-2024-39908-CVE-2024-41123-upgrade-lib-rexml-to-3.3.3.patch Patch6027: backport-CVE-2024-43398-upgrade-lib-rexml-to-3.3.6.patch +Patch6028: backport-CVE-2024-47220.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -886,6 +887,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec %changelog +* Tue Oct 08 2024 shixuantong - 3.2.2-146 +- fix CVE-2024-47220 + * Thu Aug 29 2024 shixuantong - 3.2.2-145 - upgrade rexml to fix CVE-2024-39908 CVE-2024-41123 CVE-2024-43398 -- Gitee