File CVE-2020-8163.patch of Package rubygem-actionview-4_2.15971

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2020-8163.patch of Package rubygem-actionview-4_2.15971

From 030d33c81514705ae9ec44422a063eb4bee2fbdd Mon Sep 17 00:00:00 2001
From: Matthew Draper <matthew@trebex.net>
Date: Fri, 8 May 2020 11:52:26 -0400
Subject: [PATCH] Restrict which local names can be eval'd

[CVE-2020-8163]

Note: activesupport part of the patch removed - we have that in a separate
package.

---
 lib/action_view/template.rb                    | 6 +++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/action_view/template.rb b/lib/action_view/template.rb
index 6b61378a1f..753b854aef 100644
--- a/lib/action_view/template.rb
+++ b/lib/action_view/template.rb
@@ -312,8 +312,12 @@ module ActionView
       end
 
       def locals_code #:nodoc:
+        # Only locals with valid variable names get set directly. Others will
+        # still be available in local_assigns.
+        locals = @locals.to_set - Module::DELEGATION_RESERVED_METHOD_NAMES
+        locals = locals.grep(/\A(?![A-Z0-9])(?:[[:alnum:]_]|[^\0-\177])+\z/)
         # Double assign to suppress the dreaded 'assigned but unused variable' warning
-        @locals.each_with_object('') { |key, code| code << "#{key} = #{key} = local_assigns[:#{key}];" }
+        locals.each_with_object('') { |key, code| code << "#{key} = #{key} = local_assigns[:#{key}];" }
       end
 
       def method_name #:nodoc:

Places

File CVE-2020-8163.patch of Package rubygem-actionview-4_2.15971

Places