From 7241318db49ec356f31dac96345a4ff730d313f0 Mon Sep 17 00:00:00 2001 From: Balasankar C Date: Fri, 5 May 2017 23:56:57 +0530 Subject: [PATCH] Fix CVE-2017-8778 --- debian/changelog | 7 +++ debian/patches/cve-2017-8778.patch | 87 ++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 95 insertions(+) create mode 100644 debian/patches/cve-2017-8778.patch diff --git a/debian/changelog b/debian/changelog index 7788c76392..376082897d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +gitlab (8.13.11+dfsg1-6) UNRELEASED; urgency=medium + + * Team upload. + * Fix CVE-2017-8778 (Closes: #861870) + + -- Balasankar C Fri, 05 May 2017 23:55:26 +0530 + gitlab (8.13.11+dfsg1-5) unstable; urgency=medium * Fix letsencrypt email handling in config diff --git a/debian/patches/cve-2017-8778.patch b/debian/patches/cve-2017-8778.patch new file mode 100644 index 0000000000..60cf64c599 --- /dev/null +++ b/debian/patches/cve-2017-8778.patch @@ -0,0 +1,87 @@ +Description: Patch against CVE-2017-8778 +Author: Brian Neel +Origin: , +Bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/27471 +Applied-Upstream: https://gitlab.com/gitlab-org/gitlab-ce/commit/dd944bf14f4a0fd555db32d5833325fa459d9565 +Last-Update: 2017-05-05 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/app/uploaders/file_uploader.rb ++++ b/app/uploaders/file_uploader.rb +@@ -36,7 +36,7 @@ + escaped_filename = filename.gsub("]", "\\]") + + markdown = "[#{escaped_filename}](#{self.secure_url})" +- markdown.prepend("!") if image_or_video? ++ markdown.prepend("!") if image_or_video? || dangerous? + + { + alt: filename, +--- a/app/uploaders/uploader_helper.rb ++++ b/app/uploaders/uploader_helper.rb +@@ -7,11 +7,19 @@ + # on IE >= 9. + # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html + VIDEO_EXT = %w[mp4 m4v mov webm ogv] ++ # These extension types can contain dangerous code and should only be embedded inline with ++ # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline". ++ DANGEROUS_EXT = %w[svg] ++ + + def image? + extension_match?(IMAGE_EXT) + end + ++ def dangerous? ++ extension_match?(DANGEROUS_EXT) ++ end ++ + def video? + extension_match?(VIDEO_EXT) + end +--- a/spec/controllers/uploads_controller_spec.rb ++++ b/spec/controllers/uploads_controller_spec.rb +@@ -4,6 +4,28 @@ + let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) } + + describe "GET show" do ++ context 'Content-Disposition security measures' do ++ let(:project) { create(:empty_project, :public) } ++ ++ context 'for PNG files' do ++ it 'returns Content-Disposition: inline' do ++ note = create(:note, :with_attachment, project: project) ++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png' ++ ++ expect(response['Content-Disposition']).to start_with('inline;') ++ end ++ end ++ ++ context 'for SVG files' do ++ it 'returns Content-Disposition: attachment' do ++ note = create(:note, :with_svg_attachment, project: project) ++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg' ++ ++ expect(response['Content-Disposition']).to start_with('attachment;') ++ end ++ end ++ end ++ + context "when viewing a user avatar" do + context "when signed in" do + before do +--- a/spec/factories/notes.rb ++++ b/spec/factories/notes.rb +@@ -83,7 +83,11 @@ + end + + trait :with_attachment do +- attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "`/png") } ++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png") } ++ end ++ ++ trait :with_svg_attachment do ++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/unsanitized.svg", "image/svg+xml") } + end + end + end diff --git a/debian/patches/series b/debian/patches/series index d8465521c2..e1c69c4cc0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,4 @@ pid-log-paths.patch 0210-use-jquery-ui-rails6.patch 0300-git-2-11-support.patch cve-2017-0882.patch +cve-2017-8778.patch