[rubygem-actionpack/f15] fixes for bugzillas #731432 and #731436
Mohammed Morsi
mmorsi at fedoraproject.org
Mon Aug 22 20:06:14 UTC 2011
commit 774e1c249b2a396a23f193ed064dab9f16e88926
Author: Mo Morsi <mmorsi at redhat.com>
Date: Mon Aug 22 16:05:41 2011 -0400
fixes for bugzillas #731432 and #731436
actionpack-bz-731432-fix.patch | 64 ++++++++++++++++++++++++++++++++++++++++
actionpack-bz-731436-fix.patch | 31 +++++++++++++++++++
rubygem-actionpack.spec | 13 +++++++-
3 files changed, 107 insertions(+), 1 deletions(-)
---
diff --git a/actionpack-bz-731432-fix.patch b/actionpack-bz-731432-fix.patch
new file mode 100644
index 0000000..558372e
--- /dev/null
+++ b/actionpack-bz-731432-fix.patch
@@ -0,0 +1,64 @@
+diff --git lib/action_view/template/resolver.rb.orig lib/action_view/template/resolver.rb
+index a508a68..4fda93f 100644
+--- lib/action_view/template/resolver.rb.orig
++++ lib/action_view/template/resolver.rb
+@@ -63,7 +63,7 @@ module ActionView
+ end
+
+ def query(path, exts, formats)
+- query = File.join(@path, path)
++ query = escape_entry File.join(@path, path)
+
+ exts.each do |ext|
+ query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
+@@ -88,6 +88,10 @@ module ActionView
+ templates
+ end
+
++ def escape_entry(entry)
++ entry.gsub(/(\*|\[|\]|\{|\}|\?)/, "\\\\\\1")
++ end
++
+ # Extract handler and formats from path. If a format cannot be a found neither
+ # from the path, or the handler, we should return the array of formats given
+ # to the resolver.
+diff --git test/controller/render_test.rb.orig test/controller/render_test.rb
+index c5c79c1..69112f0 100644
+--- test/controller/render_test.rb.orig
++++ test/controller/render_test.rb
+@@ -396,6 +396,14 @@ class TestController < ActionController::Base
+ render :template => "test/hello_world"
+ end
+
++ def render_with_explicit_unescaped_template
++ render :template => "test/h*llo_world"
++ end
++
++ def render_with_explicit_escaped_template
++ render :template => "test/hello_w*rld"
++ end
++
+ def render_with_explicit_string_template
+ render "test/hello_world"
+ end
+@@ -1057,6 +1065,12 @@ class RenderTest < ActionController::TestCase
+ assert_response :success
+ end
+
++ def test_render_with_explicit_unescaped_template
++ assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template }
++ get :render_with_explicit_escaped_template
++ assert_equal "Hello w*rld!", @response.body
++ end
++
+ def test_render_with_explicit_string_template
+ get :render_with_explicit_string_template
+ assert_equal "<html>Hello world!</html>", @response.body
+diff --git test/fixtures/test/hello_w*rld.erb test/fixtures/test/hello_w*rld.erb
+new file mode 100644
+index 0000000..bc8fa5e
+--- /dev/null
++++ test/fixtures/test/hello_w*rld.erb
+@@ -0,0 +1 @@
++Hello w*rld!
+\ No newline at end of file
diff --git a/actionpack-bz-731436-fix.patch b/actionpack-bz-731436-fix.patch
new file mode 100644
index 0000000..d6ed3e1
--- /dev/null
+++ b/actionpack-bz-731436-fix.patch
@@ -0,0 +1,31 @@
+diff --git lib/action_controller/vendor/html-scanner/html/node.rb.orig lib/action_controller/vendor/html-scanner/html/node.rb
+index 8525072..74c381b 100644
+--- lib/action_controller/vendor/html-scanner/html/node.rb.orig
++++ lib/action_controller/vendor/html-scanner/html/node.rb
+@@ -156,7 +156,7 @@ module HTML #:nodoc:
+ end
+
+ closing = ( scanner.scan(/\//) ? :close : nil )
+- return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
++ return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
+ name.downcase!
+
+ unless closing
+diff --git test/template/html-scanner/sanitizer_test.rb.orig test/template/html-scanner/sanitizer_test.rb
+index 3e80317..889a0f7 100644
+--- test/template/html-scanner/sanitizer_test.rb
++++ test/template/html-scanner/sanitizer_test.rb
+@@ -5,6 +5,13 @@ class SanitizerTest < ActionController::TestCase
+ @sanitizer = nil # used by assert_sanitizer
+ end
+
++ def test_strip_tags_with_quote
++ sanitizer = HTML::FullSanitizer.new
++ string = '<" <img src="trollface.gif" onload="alert(1)"> hi'
++
++ assert_equal ' hi', sanitizer.sanitize(string)
++ end
++
+ def test_strip_tags
+ sanitizer = HTML::FullSanitizer.new
+ assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 20d8077..c662626 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Epoch: 1
Version: 3.0.5
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -47,6 +47,12 @@ Patch4: actionpack-add-rack-mount-deps.patch
# https://github.com/rails/rails/commit/2e757bc298cef715e5c56945161bbd84f2610729
Patch5: cve-2011-2197-actionpack-fix.patch
+# Fixes for:
+# https://bugzilla.redhat.com/show_bug.cgi?id=731432
+# https://bugzilla.redhat.com/show_bug.cgi?id=731436
+Patch6: actionpack-bz-731432-fix.patch
+Patch7: actionpack-bz-731436-fix.patch
+
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -105,6 +111,8 @@ pushd .%{geminstdir}
%patch1 -p0
%patch2 -p0
%patch5 -p0
+%patch6 -p0
+%patch7 -p0
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -176,6 +184,9 @@ rake test --trace
%changelog
+* Mon Aug 22 2011 Mo Morsi <mmorsi at redhat.com> - 1:3.0.5-4
+- Include fixes for BZ#731432 and BZ#731436
+
* Thu Jun 16 2011 Mo Morsi <mmorsi at redhat.com> - 1:3.0.5-3
- Include fix for CVE-2011-2197
More information about the scm-commits
mailing list