Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
rubygem-activesupport-4_2
CVE-2020-8165.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-8165.patch of Package rubygem-activesupport-4_2
From 1de629cd6e932e517abb9bb024dff41b2e16738c Mon Sep 17 00:00:00 2001 From: Dylan Thacker-Smith <Dylan.Smith@shopify.com> Date: Sat, 22 Sep 2018 17:57:58 -0400 Subject: [PATCH] activesupport: Avoid Marshal.load on raw cache value in MemCacheStore and RedisCacheStore Dalli is already being used for marshalling, so we should also rely on it for unmarshalling. Since Dalli tags the cache value as marshalled it can avoid unmarshalling a raw string which might have come from an untrusted source. activesupport: Deprecate Marshal.load on raw cache read in RedisCacheStore The same value for the `raw` option should be provided for both reading and writing to avoid Marshal.load being called on untrusted data. [CVE-2020-8165] Note: this has been backported to 4.2 from the original patch. --- .../active_support/cache/mem_cache_store.rb | 14 ++-------- .../active_support/cache/redis_cache_store.rb | 27 +++++++++++-------- .../cache_increment_decrement_behavior.rb | 12 ++++----- .../cache/behaviors/cache_store_behavior.rb | 6 ++--- .../behaviors/encoded_key_cache_behavior.rb | 8 +++--- .../cache/behaviors/local_cache_behavior.rb | 10 +++---- .../test/cache/stores/mem_cache_store_test.rb | 4 +-- .../cache/stores/redis_cache_store_test.rb | 3 ++- 8 files changed, 40 insertions(+), 44 deletions(-) diff --git a/lib/active_support/cache/mem_cache_store.rb b/lib/active_support/cache/mem_cache_store.rb index f84c609033b3..dc062f8f87dc 100644 --- a/lib/active_support/cache/mem_cache_store.rb +++ b/lib/active_support/cache/mem_cache_store.rb @@ -6,7 +6,6 @@ rescue LoadError => e end require 'digest/md5' -require 'active_support/core_ext/marshal' require 'active_support/core_ext/array/extract_options' module ActiveSupport @@ -163,9 +162,8 @@ module ActiveSupport key end - def deserialize_entry(raw_value) - if raw_value - entry = Marshal.load(raw_value) rescue raw_value + def deserialize_entry(entry) + if entry entry.is_a?(Entry) ? entry : Entry.new(entry) else nil @@ -175,14 +173,6 @@ module ActiveSupport # Provide support for raw values in the local cache strategy. module LocalCacheWithRaw # :nodoc: protected - def read_entry(key, options) - entry = super - if options[:raw] && local_cache && entry - entry = deserialize_entry(entry.value) - end - entry - end - def write_entry(key, entry, options) # :nodoc: retval = super if options[:raw] && local_cache && retval
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor