Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Dear stable release managers,
Please consider ruby-rack (1.6.4-4+deb9u1) for stretch:
ruby-rack (1.6.4-4+deb9u1) stretch; urgency=medium
* CVE-2018-16471: Prevent a possible XSS vulnerability where a malicious
request could impact the HTTP/HTTPS scheme returned to the underlying
application. (Closes: #913005)
The full diff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/changelog b/debian/changelog
index da7b047..dbb5d8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-rack (1.6.4-4+deb9u1) stretch; urgency=medium
+
+ * CVE-2018-16471: Prevent a possible XSS vulnerability where a malicious
+ request could impact the HTTP/HTTPS scheme returned to the underlying
+ application. (Closes: #913005)
+
+ -- Chris Lamb <la...@debian.org> Tue, 20 Nov 2018 10:10:14 +0100
+
ruby-rack (1.6.4-4) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/CVE-2018-16471.patch
b/debian/patches/CVE-2018-16471.patch
new file mode 100644
index 0000000..51f98c2
--- /dev/null
+++ b/debian/patches/CVE-2018-16471.patch
@@ -0,0 +1,52 @@
+From: Chris Lamb <la...@debian.org>
+Date: Tue, 20 Nov 2018 10:03:55 +0100
+Subject: CVE-2018-16471
+
+Backported from
https://github.com/rack/rack/commit/97ca63d87d88b4088fb1995b14103d4fe6a5e594
+---
+ lib/rack/request.rb | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rack/request.rb b/lib/rack/request.rb
+index ac95b1c..7459603 100644
+--- a/lib/rack/request.rb
++++ b/lib/rack/request.rb
+@@ -13,6 +13,8 @@ module Rack
+ # The environment of the request.
+ attr_reader :env
+
++ SCHEME_WHITELIST = %w(https http).freeze
++
+ def initialize(env)
+ @env = env
+ end
+@@ -68,10 +70,8 @@ module Rack
+ 'https'
+ elsif @env['HTTP_X_FORWARDED_SSL'] == 'on'
+ 'https'
+- elsif @env['HTTP_X_FORWARDED_SCHEME']
+- @env['HTTP_X_FORWARDED_SCHEME']
+- elsif @env['HTTP_X_FORWARDED_PROTO']
+- @env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
++ elsif forwarded_scheme
++ forwarded_scheme
+ else
+ @env["rack.url_scheme"]
+ end
+@@ -394,5 +394,16 @@ module Rack
+ s
+ end
+ end
++
++ def forwarded_scheme
++ scheme_headers = [
++ @env['HTTP_X_FORWARDED_SCHEME'],
++ @env['HTTP_X_FORWARDED_PROTO'].to_s.split(',')[0]
++ ]
++ scheme_headers.each do |header|
++ return header if SCHEME_WHITELIST.include?(header)
++ end
++ nil
++ end
+ end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 3a39f9c..bfc724e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Fix-Params_Depth.patch
+CVE-2018-16471.patch
