update and correct ruby CVE-2024035176.patch (#9280)

Co-authored-by: minghe <rmhsawyer>
2024-05-31 16:28:37 -07:00 · 2024-05-31 16:28:37 -07:00 · 6e4ebc6899
--- a/SPECS/ruby/CVE-2024-35176.patch
+++ b/SPECS/ruby/CVE-2024-35176.patch
@ -1,8 +1,8 @@
 Patch taken from https://github.com/ruby/rexml/pull/126/files#diff-93b40740603234e79b1d9be5ff2b3af80f3964a146183cbd698f14d7336726e9
 diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
--- a/.bundle/gems/rexml-3.2.5/lib/parsers/baseparser.rb	2021-04-05 04:43:38.000000000 -0700
-+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb	2024-05-28 18:53:32.656078157 -0700
-@@ -589,60 +589,41 @@
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb	2021-04-05 04:43:38.000000000 -0700
+++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb	2024-05-31 14:22:29.683378525 -0700
+@@ -589,85 +589,58 @@
       def parse_attributes(prefixes, curr_ns)
         attributes = {}
         closed = false
@ -48,15 +48,6 @@ diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/g
             end
 -            quote = scanner.scan(/['"]/)
 -            unless quote
-+            unless match = @source.match(/(['"])(.*?)\1\s*/um, true)
-+              if match = @source.match(/(['"])/, true)
-+                message =
-+                  "Missing attribute value end quote: <#{name}>: <#{match[1]}>"
-+                raise REXML::ParseException.new(message, @source)
-+              else
-+                message = "Missing attribute value start quote: <#{name}>"
-+                raise REXML::ParseException.new(message, @source)
-+              end
 +            unless match = @source.match(/(['"])/, true)
               message = "Missing attribute value start quote: <#{name}>"
               raise REXML::ParseException.new(message, @source)
@ -85,11 +76,57 @@ diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/g
 -          local_part = scanner[3]
 -          # quote = scanner[4]
 -          value = scanner[5]
-+            value = match[2]
+-          if prefix == "xmlns"
+-            if local_part == "xml"
+-              if value != "http://www.w3.org/XML/1998/namespace"
+-                msg = "The 'xml' prefix must not be bound to any other namespace "+
 +            @source.match(/\s*/um, true)
-           if prefix == "xmlns"
-             if local_part == "xml"
-               if value != "http://www.w3.org/XML/1998/namespace"
+            if prefix == "xmlns"
+              if local_part == "xml"
+                if value != "http://www.w3.org/XML/1998/namespace"
+                  msg = "The 'xml' prefix must not be bound to any other namespace "+
+                    "(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
+                  raise REXML::ParseException.new( msg, @source, self)
+                end
+              elsif local_part == "xmlns"
+                msg = "The 'xmlns' prefix must not be declared "+
+                   "(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
+-                raise REXML::ParseException.new( msg, @source, self )
+                raise REXML::ParseException.new( msg, @source, self)
+               end
+-            elsif local_part == "xmlns"
+-              msg = "The 'xmlns' prefix must not be declared "+
+-                "(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
+-              raise REXML::ParseException.new( msg, @source, self)
+              curr_ns << local_part
+            elsif prefix
+              prefixes << prefix unless prefix == "xml"
+             end
+-            curr_ns << local_part
+-          elsif prefix
+-            prefixes << prefix unless prefix == "xml"
+-          end
+-
+-          if attributes.has_key?(name)
+-            msg = "Duplicate attribute #{name.inspect}"
+-            raise REXML::ParseException.new(msg, @source, self)
+            if attributes[name]
+              msg = "Duplicate attribute #{name.inspect}"
+              raise REXML::ParseException.new(msg, @source, self)
+            end
+            
+            attributes[name] = value
+          else
+            message = "Invalid attribute name: <#{@source.buffer.split(%r{[/>\s]}).first}>"
+            raise REXML::ParseException.new(message, @source)
+           end
+-
+-          attributes[name] = value
+         end
+-        return attributes, closed
+       end
+     end
+   end
 diff -ruN a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
 --- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb	2021-04-05 04:43:38.000000000 -0700
 +++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb	2024-05-28 17:10:36.356913505 -0700