[rubygem-activesupport] fix for cve-2011-2197
Mohammed Morsi
mmorsi at fedoraproject.org
Thu Jun 16 23:17:04 UTC 2011
commit eb050168148a6623ae04ec6a9005cf052d38d48a
Author: Mo Morsi <mmorsi at redhat.com>
Date: Thu Jun 16 19:14:34 2011 -0400
fix for cve-2011-2197
http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
cve-2011-2197-fix.patch | 48 ++++++++++++++++++++++++++++++++++++++++++++
rubygem-activesupport.spec | 8 ++++++-
2 files changed, 55 insertions(+), 1 deletions(-)
---
diff --git a/cve-2011-2197-fix.patch b/cve-2011-2197-fix.patch
new file mode 100644
index 0000000..0f36f0e
--- /dev/null
+++ b/cve-2011-2197-fix.patch
@@ -0,0 +1,48 @@
+--- lib/active_support/core_ext/string/output_safety.rb
++++ lib/active_support/core_ext/string/output_safety.rb
+@@ -73,6 +73,7 @@ end
+
+ module ActiveSupport #:nodoc:
+ class SafeBuffer < String
++ UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze
+ alias safe_concat concat
+
+ def concat(value)
+@@ -103,6 +104,18 @@ module ActiveSupport #:nodoc:
+ def to_yaml(*args)
+ to_str.to_yaml(*args)
+ end
++
++ for unsafe_method in UNSAFE_STRING_METHODS
++ class_eval <<-EOT, __FILE__, __LINE__
++ def #{unsafe_method}(*args)
++ super.to_str
++ end
++
++ def #{unsafe_method}!(*args)
++ raise TypeError, "Cannot modify SafeBuffer in place"
++ end
++ EOT
++ end
+ end
+ end
+
+--- test/safe_buffer_test.rb
++++ test/safe_buffer_test.rb
+@@ -38,4 +38,16 @@ class SafeBufferTest < ActiveSupport::TestCase
+ new_buffer = @buffer.to_s
+ assert_equal ActiveSupport::SafeBuffer, new_buffer.class
+ end
++
++ test "Should not return safe buffer from gsub" do
++ altered_buffer = @buffer.gsub('', 'asdf')
++ assert_equal 'asdf', altered_buffer
++ assert !altered_buffer.html_safe?
++ end
++
++ test "Should not allow gsub! on safe buffers" do
++ assert_raise TypeError do
++ @buffer.gsub!('', 'asdf')
++ end
++ end
+ end
diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec
index b499bd7..e69b3aa 100644
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@@ -31,6 +31,11 @@ Patch1: activesupport-tests-fix.patch
# is in Fedora http://bugzilla.redhat.com/show_bug.cgi?id=668822
Patch2: activesupport-remove-memcache-build-dep.patch
+# CVE-2011-2197
+# http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
+# FIX: https://gist.github.com/b2ceb626fc2bcdfe497f
+Patch3: cve-2011-2197-fix.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: rubygems
Requires: ruby(abi) = %{rubyabi}
@@ -53,7 +58,7 @@ goodies from the Rails framework
%setup -q -c -T
mkdir -p .%{gemdir}
gem install --local --install-dir .%{gemdir} \
- --force -V --rdoc %{SOURCE0}
+ --force -V --no-ri --no-rdoc %{SOURCE0}
# move the tests into place
tar xzvf %{SOURCE2} -C .%{geminstdir}
@@ -62,6 +67,7 @@ tar xzvf %{SOURCE2} -C .%{geminstdir}
pushd .%{geminstdir}
%patch1 -p0
%patch2 -p0
+%patch3 -p0
%build
More information about the scm-commits
mailing list