Fix some more security problems in cgi.rb.

ok msf@
2006-12-04 13:26:51 +00:00 · 2006-12-04 13:26:51 +00:00 · 07b32cb93a
commit 07b32cb93a
parent 03793902fe
2 changed files with 31 additions and 6 deletions
--- a/lang/ruby/Makefile
+++ b/lang/ruby/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.50 2006/11/27 09:52:52 bernd Exp $
+# $OpenBSD: Makefile,v 1.51 2006/12/04 13:26:51 bernd Exp $

 SHARED_ONLY=		Yes

@ -10,7 +10,7 @@ COMMENT-tk=		"tk interface for ruby"
 VERSION=		1.8.5
 DISTNAME=		ruby-${VERSION}
 SHARED_LIBS=		ruby 1.85
-PKGNAME-main=		${DISTNAME}p2
+PKGNAME-main=		${DISTNAME}p3
 PKGNAME-iconv=		ruby-iconv-${VERSION}p2
 PKGNAME-gdbm=		ruby-gdbm-${VERSION}p2
 PKGNAME-tk=		ruby-tk-${VERSION}p2
--- a/lang/ruby/patches/patch-lib_cgi_rb
+++ b/lang/ruby/patches/patch-lib_cgi_rb
@ -1,13 +1,30 @@
-$OpenBSD: patch-lib_cgi_rb,v 1.1 2006/11/02 12:46:13 bernd Exp $
+$OpenBSD: patch-lib_cgi_rb,v 1.2 2006/12/04 13:26:51 bernd Exp $

 Security fix for CVE-2006-5467 from ruby CVS. Should be fixed in >1.8.5.

 http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
 http://www.securityfocus.com/bid/20777/info

--- lib/cgi.rb.orig	Tue Oct 31 11:56:58 2006
-+++ lib/cgi.rb	Tue Oct 31 11:59:48 2006
-@@ -1018,7 +1018,7 @@ class CGI
+--- lib/cgi.rb.orig	Tue Aug 22 11:38:19 2006
+++ lib/cgi.rb	Mon Dec  4 12:25:09 2006
+@@ -967,6 +967,7 @@ class CGI
+     def read_multipart(boundary, content_length)
+       params = Hash.new([])
+       boundary = "--" + boundary
+      quoted_boundary = Regexp.quote(boundary, "n")
+       buf = ""
+       bufsize = 10 * 1024
+       boundary_end=""
+@@ -998,7 +999,7 @@ class CGI
+         end
+         body.binmode if defined? body.binmode
+ 
+-        until head and /#{boundary}(?:#{EOL}|--)/n.match(buf)
+        until head and /#{quoted_boundary}(?:#{EOL}|--)/n.match(buf)
+ 
+           if (not head) and /#{EOL}#{EOL}/n.match(buf)
+             buf = buf.sub(/\A((?:.|\n)*?#{EOL})#{EOL}/n) do
+@@ -1018,14 +1019,14 @@ class CGI
               else
                 stdinput.read(content_length)
               end
@ -16,3 +33,11 @@ http://www.securityfocus.com/bid/20777/info
             raise EOFError, "bad content body"
           end
           buf.concat(c)
+           content_length -= c.size
+         end
+ 
+-        buf = buf.sub(/\A((?:.|\n)*?)(?:[\r\n]{1,2})?#{boundary}([\r\n]{1,2}|--)/n) do
+        buf = buf.sub(/\A((?:.|\n)*?)(?:[\r\n]{1,2})?#{quoted_boundary}([\r\n]{1,2}|--)/n) do
+           body.print $1
+           if "--" == $2
+             content_length = -1