CVE-2024-26144.patch

@@ -1,60 +0,0 @@
-From 723f54566023e91060a67b03353e7c03e7436433 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
- <rafael@rubyonrails.org>
-Date: Thu, 3 Aug 2023 16:00:34 -0400
-Subject: [PATCH] Merge pull request #48869 from
- brunoprietog/disable-session-active-storage-proxy-controllers
-
-Disable session in ActiveStorage blobs and representations proxy controllers
-
-[CVE-2024-26144]
----
- activestorage/CHANGELOG.md                           |  8 ++++++++
- .../active_storage/blobs/proxy_controller.rb         |  1 +
- .../representations/proxy_controller.rb              |  1 +
- .../concerns/active_storage/disable_session.rb       | 12 ++++++++++++
- 4 files changed, 22 insertions(+)
- create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb
-
-diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
-index 6ec2772717c70..438623858474e 100644
---- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
-+++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
-@@ -9,6 +9,7 @@
- class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
-   include ActiveStorage::SetBlob
-   include ActiveStorage::Streaming
-+  include ActiveStorage::DisableSession
- 
-   def show
-     if request.headers["Range"].present?
-diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
-index 0f6c0f79978ab..7024f6534a501 100644
---- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
-+++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
-@@ -8,6 +8,7 @@
- # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
- class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
-   include ActiveStorage::Streaming
-+  include ActiveStorage::DisableSession
- 
-   def show
-     http_cache_forever public: true do
-diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
-new file mode 100644
-index 0000000000000..200ad7c9d23ac
---- /dev/null
-+++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
-@@ -0,0 +1,12 @@
-+# frozen_string_literal: true
-+
-+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
-+module ActiveStorage::DisableSession
-+  extend ActiveSupport::Concern
-+
-+  included do
-+    before_action do
-+      request.session_options[:skip] = true
-+    end
-+  end
-+end

rubygem-activestorage.spec

@@ -1,31 +1,21 @@
 %global gem_name activestorage
-%bcond_without bootstrap
+%{?_with_bootstrap: %global bootstrap 1}
+%global bootstrap 1
 %bcond_with ffmpeg
 Name:                rubygem-%{gem_name}
-Version:             7.0.7
+Version:             5.2.3
-Release:             2
+Release:             1
 Summary:             Local and cloud file storage framework
 License:             MIT
 URL:                 http://rubyonrails.org
-Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
+Source0:             https://rubygems.org/gems/activestorage-5.2.3.gem
-# The gem doesn't ship with the test suite.
+Source1:             https://github.com/rails/rails/archive/v5.2.3.tar.gz
-# You may check it out like so
-# git clone https://github.com/rails/rails.git
-# cd rails/activestorage && git archive -v -o activestorage-7.0.7-tests.txz v7.0.7 test/
-Source1:             %{gem_name}-%{version}-tests.txz
-# The tools are needed for the test suite, are however unpackaged in gem file.
-# You may check it out like so
-# git clone http://github.com/rails/rails.git --no-checkout
-# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
-Source2:             rails-%{version}-tools.txz
-# https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
-Patch0:              CVE-2024-26144.patch
 BuildRequires:       ruby(release) rubygems-devel ruby
-%if %{without bootstrap}
+%if ! 0%{?bootstrap}
 BuildRequires:       rubygem(actionpack) = %{version} rubygem(activerecord) = %{version}
 BuildRequires:       rubygem(activejob) = %{version} rubygem(railties) = %{version}
 BuildRequires:       rubygem(rails) = %{version} rubygem(sprockets-rails) rubygem(connection_pool)
-BuildRequires:       rubygem(image_processing) rubygem(sqlite3)
+BuildRequires:       rubygem(mini_magick) rubygem(sqlite3)
 %{?with_ffmpeg:BuildRequires: %{_bindir}/ffmpeg}
 BuildRequires:       %{_bindir}/mutool %{_bindir}/pdftoppm
 %endif
@@ -44,8 +34,7 @@ BuildArch:           noarch
 Documentation for %{name}.
 
 %prep
-%setup -q -n %{gem_name}-%{version} -b1 -b2
+%setup -q -n %{gem_name}-%{version}
-%patch0 -p2
 
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@@ -57,7 +46,7 @@ cp -a .%{gem_dir}/* \
         %{buildroot}%{gem_dir}/
 
 %check
-%if %{without bootstrap}
+%if ! 0%{?bootstrap}
 ln -s %{gem_dir}/specifications/rails-%{version}.gemspec .%{gem_dir}/gems/rails.gemspec
 ln -s %{gem_dir}/gems/railties-%{version}/ .%{gem_dir}/gems/railties
 ln -s %{gem_dir}/gems/activerecord-%{version}/ .%{gem_dir}/gems/activerecord
@@ -66,40 +55,29 @@ ln -s %{gem_dir}/gems/actionpack-%{version}/ .%{gem_dir}/gems/actionpack
 ln -s %{gem_dir}/gems/activesupport-%{version}/ .%{gem_dir}/gems/activesupport
 ln -s ${PWD}%{gem_instdir} .%{gem_dir}/gems/%{gem_name}
 pushd .%{gem_dir}/gems/%{gem_name}
-ln -s %{_builddir}/tools ..
+tar xzvf %{SOURCE1}
-cp -a %{_builddir}/test .
 touch Gemfile
 echo 'gem "actionpack"' >> ../Gemfile
 echo 'gem "activerecord"' >> ../Gemfile
 echo 'gem "activejob"' >> ../Gemfile
 echo 'gem "sprockets-rails"' >> ../Gemfile
-echo 'gem "image_processing"' >> ../Gemfile
+echo 'gem "mini_magick"' >> ../Gemfile
 echo 'gem "rails"' >> ../Gemfile
 echo 'gem "sqlite3"' >> ../Gemfile
-%if %{without ffmpeg}
+cd rails-%{version}/%{gem_name}
+%if ! 0%{?with_ffmpeg}
 mv test/analyzer/video_analyzer_test.rb{,.disable}
-mv test/analyzer/audio_analyzer_test.rb{,.disable}
-mv test/previewer/video_previewer_test.rb{,.disable}
 for f in \
   models/preview \
   models/representation \
-  %{nil}
+  previewer/video_previewer
 do
-sed -i '/^  test ".* MP4 video.*" do$/,/^  end$/ s/^/#/g' \
+sed -i '/^  test ".* an MP4 video" do$/,/^  end$/ s/^/#/g' \
   test/${f}_test.rb
 done
+sed -i '/^  test "analyze newly-attached blobs" do$/,/^  end$/ s/^/#/g' \
+  test/models/attachments_test.rb
 %endif
-# Blobs seem to be broken
-# https://github.com/rails/rails/pull/40226
-# https://github.com/rails/rails/issues/44395
-sed -i -e '/test "optimized variation of GIF"/ a skip' \
-    -e '/thumbnail variation of extensionless GIF/ a skip' \
-    -e '/test "resized variation of PSD blob" do/ a skip' \
-    -e '/test "resized variation of BMP blob" do/ a skip' \
-    -e '/test "resized variation of ICO blob" do/ a skip' \
-    -e '/test "resized variation of GIF blob" do/ a skip' \
-    -e '/test "optimized variation of GIF blob" do/ a skip' \
-  test/models/variant_test.rb
 export RUBYOPT="-I${PWD}/../%{gem_name}/lib"
 export PATH="${PWD}/../%{gem_name}/exe:$PATH"
 export BUNDLE_GEMFILE=${PWD}/../Gemfile
@@ -123,20 +101,5 @@ popd
 %doc %{gem_instdir}/README.md
 
 %changelog
-* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 7.0.7-2
-- Fix CVE-2024-26144
-
-* Thu Aug 17 2023 Ge Wang <wang__ge@126.com> - 7.0.7-1
-- Upgrade to version 7.0.7
-
-* Thu Jan 19 2023 wangkai <wangkai385@h-partners.com> - 7.0.4-1
-- Upgrade to version 7.0.4
-
-* Wed Mar 02 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 6.1.4.1-1
-- update to 6.1.4.1
-
-* Mon Feb  8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
-- Upgrade to 5.2.4.4
-
 * Wed Aug 12 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1
 - Package init