[DRE-maint] Bug#655896: Rails depends on the wrong version of librack-ruby, which leads to a loss of data in redmine.

Satoru KURASHIKI lurdan at gmail.com
Sat Apr 13 21:58:59 UTC 2013


hi,

> So, reassigning to rack, I guess this simple small fix can go
> via stable updates.
>
> O.
>
> 2012/1/15 Jérémy Lal <jerry at edagames.com>:
> > Hi,
> > https://github.com/chneukirchen/rack/commit/6fa19e3a268c
> >
> > is a simple patch that fixes the issue, and is probably
> > the cause of the 1.1.1 release...

I've prepared this small patch for librack-ruby-1.1.0-4.
It's assumed to be applied after fixing pending security bugs. (#698440,
#700226)

debdiff as follows:

--
diff -u librack-ruby-1.1.0/debian/changelog
librack-ruby-1.1.0/debian/changelog
--- librack-ruby-1.1.0/debian/changelog
+++ librack-ruby-1.1.0/debian/changelog
@@ -1,3 +1,10 @@
+librack-ruby (1.1.0-4.1+squeeze2) stable; urgency=medium
+
+  * Non Maintainer Upload.
+  * Remove parsing of quoted values. (Closes: 655896)
+
+ -- KURASHIKI Satoru <lurdan at gmail.com>  Sat, 13 Apr 2013 20:35:25 +0000
+
 librack-ruby (1.1.0-4.1+squeeze1) stable-security; urgency=high

   * Non Maintainer Upload.
only in patch2:
unchanged:
---
librack-ruby-1.1.0.orig/debian/patches/0003-Remove-parsing-of-quoted-values.patch
+++
librack-ruby-1.1.0/debian/patches/0003-Remove-parsing-of-quoted-values.patch
@@ -0,0 +1,42 @@
+--- a/lib/rack/utils.rb        2013-04-13 20:25:45.005940347 +0000
++++ b/lib/rack/utils.rb        2013-04-13 20:26:21.696277220 +0000
+@@ -38,9 +38,6 @@
+
+       (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
+         k, v = p.split('=', 2).map { |x| unescape(x) }
+-        if v =~ /^("|')(.*)\1$/
+-          v = $2.gsub('\\'+$1, $1)
+-        end
+         if cur = params[k]
+           if cur.class == Array
+             params[k] << v
+@@ -69,9 +66,6 @@
+     module_function :parse_nested_query
+
+     def normalize_params(params, name, v = nil)
+-      if v and v =~ /^("|')(.*)\1$/
+-        v = $2.gsub('\\'+$1, $1)
+-      end
+       name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
+       k = $1 || ''
+       after = $' || ''
+--- a/test/spec_rack_utils.rb  2013-04-13 20:27:41.540708117 +0000
++++ b/test/spec_rack_utils.rb  2013-04-13 20:28:39.332709491 +0000
+@@ -33,7 +33,7 @@
+     Rack::Utils.parse_query("foo=bar").
+       should.equal "foo" => "bar"
+     Rack::Utils.parse_query("foo=\"bar\"").
+-      should.equal "foo" => "bar"
++      should.equal "foo" => "\"bar\""
+     Rack::Utils.parse_query("foo=bar&foo=quux").
+       should.equal "foo" => ["bar", "quux"]
+     Rack::Utils.parse_query("foo=1&bar=2").
+@@ -51,7 +51,7 @@
+     Rack::Utils.parse_nested_query("foo=bar").
+       should.equal "foo" => "bar"
+     Rack::Utils.parse_nested_query("foo=\"bar\"").
+-      should.equal "foo" => "bar"
++      should.equal "foo" => "\"bar\""
+
+     Rack::Utils.parse_nested_query("foo=bar&foo=quux").
+       should.equal "foo" => "quux"

regards,
-- 
KURASHIKI Satoru
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20130414/1775f46a/attachment.html>


More information about the Pkg-ruby-extras-maintainers mailing list