ab1c353515
- ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the
changes at trunk to enable the fix without any modifications on the
users' scripts. Note that Net::HTTP#enable_post_connection_check isn't
available anymore. If you want to disable this post-check, you should
give OpenSSL::SSL::VERIFY_NONE to Net::HTTP#verify_mode= instead of.
98 lines
3.8 KiB
Diff
98 lines
3.8 KiB
Diff
diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb
|
|
--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900
|
|
+++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900
|
|
@@ -29,13 +29,23 @@ require 'net/ftp'
|
|
|
|
module Net
|
|
class FTPTLS < FTP
|
|
+ def connect(host, port=FTP_PORT)
|
|
+ @hostname = host
|
|
+ super
|
|
+ end
|
|
+
|
|
def login(user = "anonymous", passwd = nil, acct = nil)
|
|
+ store = OpenSSL::X509::Store.new
|
|
+ store.set_default_paths
|
|
ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
|
|
+ ctx.cert_store = store
|
|
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
ctx.key = nil
|
|
ctx.cert = nil
|
|
voidcmd("AUTH TLS")
|
|
@sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
|
|
@sock.connect
|
|
+ @sock.post_connection_check(@hostname)
|
|
super(user, passwd, acct)
|
|
voidcmd("PBSZ 0")
|
|
end
|
|
diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb
|
|
--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900
|
|
+++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900
|
|
@@ -134,6 +134,9 @@ module Net
|
|
@sock.verify_callback = @options['VerifyCallback']
|
|
@sock.verify_depth = @options['VerifyDepth']
|
|
@sock.connect
|
|
+ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
|
|
+ @sock.post_connection_check(@options['Host'])
|
|
+ end
|
|
@ssl = true
|
|
end
|
|
''
|
|
diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb
|
|
--- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900
|
|
+++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900
|
|
@@ -470,7 +470,6 @@ module Net #:nodoc:
|
|
@debug_output = nil
|
|
@use_ssl = false
|
|
@ssl_context = nil
|
|
- @enable_post_connection_check = false
|
|
end
|
|
|
|
def inspect
|
|
@@ -527,9 +526,6 @@ module Net #:nodoc:
|
|
false # redefined in net/https
|
|
end
|
|
|
|
- # specify enabling SSL server certificate and hostname checking.
|
|
- attr_accessor :enable_post_connection_check
|
|
-
|
|
# Opens TCP connection and HTTP session.
|
|
#
|
|
# When this method is called with block, gives a HTTP object
|
|
@@ -589,12 +585,7 @@ module Net #:nodoc:
|
|
end
|
|
s.connect
|
|
if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
|
|
- begin
|
|
- s.post_connection_check(@address)
|
|
- rescue OpenSSL::SSL::SSLError => ex
|
|
- raise ex if @enable_post_connection_check
|
|
- warn ex.message
|
|
- end
|
|
+ s.post_connection_check(@address)
|
|
end
|
|
end
|
|
on_connect
|
|
diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb
|
|
--- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900
|
|
+++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900
|
|
@@ -900,6 +900,7 @@ module Net
|
|
end
|
|
@sock = SSLSocket.new(@sock, context)
|
|
@sock.connect # start ssl session.
|
|
+ @sock.post_connection_check(@host) if verify
|
|
else
|
|
@usessl = false
|
|
end
|
|
diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb
|
|
--- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900
|
|
+++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900
|
|
@@ -229,7 +229,6 @@ module OpenURI
|
|
if target.class == URI::HTTPS
|
|
require 'net/https'
|
|
http.use_ssl = true
|
|
- http.enable_post_connection_check = true
|
|
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
store = OpenSSL::X509::Store.new
|
|
store.set_default_paths
|