[pkgsrc/trunk]: pkgsrc/www/ruby-actionpack Security fix for:

[minskim <minskim%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/d332c4066893
branches:  trunk
changeset: 395914:d332c4066893
user:      minskim <minskim%pkgsrc.org@localhost>
date:      Thu Jul 16 11:00:25 2009 +0000

description:
Security fix for:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422

>From rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489.

diffstat:

 www/ruby-actionpack/Makefile         |   7 ++++++-
 www/ruby-actionpack/distinfo         |   3 ++-
 www/ruby-actionpack/patches/patch-aa |  24 ++++++++++++++++++++++++
 3 files changed, 32 insertions(+), 2 deletions(-)

diffs (62 lines):

diff -r 45c6b028141e -r d332c4066893 www/ruby-actionpack/Makefile
--- a/www/ruby-actionpack/Makefile      Thu Jul 16 10:51:17 2009 +0000
+++ b/www/ruby-actionpack/Makefile      Thu Jul 16 11:00:25 2009 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.15 2009/04/07 17:13:27 minskim Exp $
+# $NetBSD: Makefile,v 1.16 2009/07/16 11:00:25 minskim Exp $
 
 DISTNAME=      actionpack-2.3.2
 PKGNAME=       ${RUBY_PKGPREFIX}-${DISTNAME}
+PKGREVISION=   1
 CATEGORIES=    www
 
 MAINTAINER=    minskim%NetBSD.org@localhost
@@ -11,4 +12,8 @@
 DEPENDS+=      ${RUBY_PKGPREFIX}-activesupport>=2.3.2:../../devel/ruby-activesupport
 
 .include "../../misc/rubygems/rubygem.mk"
+
+pre-configure:
+       ${RM} ${WRKSRC}/lib/action_controller/http_authentication.rb.orig
+
 .include "../../mk/bsd.pkg.mk"
diff -r 45c6b028141e -r d332c4066893 www/ruby-actionpack/distinfo
--- a/www/ruby-actionpack/distinfo      Thu Jul 16 10:51:17 2009 +0000
+++ b/www/ruby-actionpack/distinfo      Thu Jul 16 11:00:25 2009 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.16 2009/04/07 17:13:27 minskim Exp $
+$NetBSD: distinfo,v 1.17 2009/07/16 11:00:25 minskim Exp $
 
 SHA1 (actionpack-2.3.2.gem) = 31e9815ed5d901b6b7f618bb7140f16d1a79ebfc
 RMD160 (actionpack-2.3.2.gem) = 800602f5c03b08ca8ca292cc7f82ef009c0e2160
 Size (actionpack-2.3.2.gem) = 767488 bytes
+SHA1 (patch-aa) = 85d3a5a5766a6ac220e230436f53f6cd4078a259
 SHA1 (patch-ab) = bfba841b0af9d503a71745cc8d992e9d09d94191
diff -r 45c6b028141e -r d332c4066893 www/ruby-actionpack/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/ruby-actionpack/patches/patch-aa      Thu Jul 16 11:00:25 2009 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-aa,v 1.3 2009/07/16 11:00:25 minskim Exp $
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
+rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489
+
+--- lib/action_controller/http_authentication.rb.orig  2009-07-16 03:45:19.000000000 -0700
++++ lib/action_controller/http_authentication.rb
+@@ -183,7 +183,7 @@ module ActionController
+         request.env['REDIRECT_X_HTTP_AUTHORIZATION']
+       end
+ 
+-      # Raises error unless the request credentials response value matches the expected value.
++      # Returns false unless the request credentials response value matches the expected value.
+       # First try the password as a ha1 digest password. If this fails, then try it as a plain
+       # text password.
+       def validate_digest_response(request, realm, &password_procedure)
+@@ -192,6 +192,7 @@ module ActionController
+ 
+         if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
+           password = password_procedure.call(credentials[:username])
++          return false unless password
+ 
+          [true, false].any? do |password_is_ha1|
+            expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1)