File CVE-2020-8163.patch of Package rubygem-activesupport-4_2.27570

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2020-8163.patch of Package rubygem-activesupport-4_2.27570

From 030d33c81514705ae9ec44422a063eb4bee2fbdd Mon Sep 17 00:00:00 2001
From: Matthew Draper <matthew@trebex.net>
Date: Fri, 8 May 2020 11:52:26 -0400
Subject: [PATCH] Restrict which local names can be eval'd

[CVE-2020-8163]

Note: actionview part of the patch removed - we have that in a separate
package.

---
 .../lib/active_support/core_ext/module/delegation.rb      | 8 ++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/active_support/core_ext/module/delegation.rb b/lib/active_support/core_ext/module/delegation.rb
index 6fedf454e1..ea3730d9d5 100644
--- a/lib/active_support/core_ext/module/delegation.rb
+++ b/lib/active_support/core_ext/module/delegation.rb
@@ -11,6 +11,14 @@ class Module
        return self super then true undef unless until when while yield)
   ).freeze
 
+  DELEGATION_RESERVED_KEYWORDS = Set.new(
+    %w(_ arg args block)
+  )
+
+  DELEGATION_RESERVED_METHOD_NAMES = Set.new(
+    RUBY_RESERVED_WORDS + DELEGATION_RESERVED_KEYWORDS
+  ).freeze
+
   # Provides a +delegate+ class method to easily expose contained objects'
   # public methods as your own.
   #
-- 
2.26.2

Places

File CVE-2020-8163.patch of Package rubygem-activesupport-4_2.27570

Places