File CVE-2023-22792.patch of Package rubygem-actionpack-4_2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-22792.patch of Package rubygem-actionpack-4_2

From 90e8a9089b700649317a0761dc8a02a3873d9947 Mon Sep 17 00:00:00 2001
From: sabulikia <sabakiaei@gmail.com>
Date: Thu, 7 Jul 2022 16:10:20 -0400
Subject: [PATCH] Use string#split instead of regex for domain parts

[CVE-2023-22792]
SUSE: adapt for version 4.2.9
---
--- actionpack.orig/lib/action_dispatch/middleware/cookies.rb	2023-01-26 16:34:59.917489144 +0100
+++ actionpack/lib/action_dispatch/middleware/cookies.rb	2023-01-26 17:42:24.117985672 +0100
@@ -199,20 +199,6 @@ module ActionDispatch
     class CookieJar #:nodoc:
       include Enumerable, ChainedCookieJars
 
-      # This regular expression is used to split the levels of a domain.
-      # The top level domain can be any string without a period or
-      # **.**, ***.** style TLDs like co.uk or com.au
-      #
-      # www.example.co.uk gives:
-      # $& => example.co.uk
-      #
-      # example.com gives:
-      # $& => example.com
-      #
-      # lots.of.subdomains.example.local gives:
-      # $& => example.local
-      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
-
       def self.options_for_env(env) #:nodoc:
         { signed_cookie_salt: env[SIGNED_COOKIE_SALT] || '',
           encrypted_cookie_salt: env[ENCRYPTED_COOKIE_SALT] || '',
@@ -284,13 +270,35 @@ module ActionDispatch
         options[:path] ||= "/"
 
         if options[:domain] == :all
-          # if there is a provided tld length then we use it otherwise default domain regexp
-          domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
+          cookie_domain = ""
+          dot_splitted_host = request.host.split('.', -1)
 
-          # if host is not ip and matches domain regexp
-          # (ip confirms to domain regexp so we explicitly check for ip)
-          options[:domain] = if (@host !~ /^[\d.]+$/) && (@host =~ domain_regexp)
-            ".#{$&}"
+          # Case where request.host is not an IP address or it's an invalid domain
+          # (ip confirms to the domain structure we expect so we explicitly check for ip)
+          if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
+            options[:domain] = nil
+            return
+          end
+
+          # If there is a provided tld length then we use it otherwise default domain.
+          if options[:tld_length].present? 
+            # Case where the tld_length provided is valid
+            if dot_splitted_host.length >= options[:tld_length]
+              cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+            end
+          # Case where tld_length is not provided
+          else
+            # Regular TLDs
+            if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
+              cookie_domain = dot_splitted_host.last(2).join('.')
+            # **.**, ***.** style TLDs like co.uk and com.au
+            else
+              cookie_domain = dot_splitted_host.last(3).join('.')
+            end
+          end
+
+          options[:domain] = if cookie_domain.present?
+            ".#{cookie_domain}"
           end
         elsif options[:domain].is_a? Array
           # if host matches one of the supplied domains without a dot in front of it

Places

File CVE-2023-22792.patch of Package rubygem-actionpack-4_2

Places