[rubygem-activesupport] fix for cve-2011-2197

Thu Jun 16 23:17:04 UTC 2011

commit eb050168148a6623ae04ec6a9005cf052d38d48a
Author: Mo Morsi <mmorsi at redhat.com>
Date:   Thu Jun 16 19:14:34 2011 -0400

    fix for cve-2011-2197
    
    http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

 cve-2011-2197-fix.patch    |   48 ++++++++++++++++++++++++++++++++++++++++++++
 rubygem-activesupport.spec |    8 ++++++-
 2 files changed, 55 insertions(+), 1 deletions(-)
---

diff --git a/cve-2011-2197-fix.patch b/cve-2011-2197-fix.patch
new file mode 100644
index 0000000..0f36f0e
--- /dev/null
+++ b/cve-2011-2197-fix.patch
@@ -0,0 +1,48 @@
+--- lib/active_support/core_ext/string/output_safety.rb
++++ lib/active_support/core_ext/string/output_safety.rb
+@@ -73,6 +73,7 @@ end
+ 
+ module ActiveSupport #:nodoc:
+   class SafeBuffer < String
++    UNSAFE_STRING_METHODS = ["capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"].freeze
+     alias safe_concat concat
+ 
+     def concat(value)
+@@ -103,6 +104,18 @@ module ActiveSupport #:nodoc:
+     def to_yaml(*args)
+       to_str.to_yaml(*args)
+     end
++
++    for unsafe_method in UNSAFE_STRING_METHODS
++      class_eval <<-EOT, __FILE__, __LINE__
++        def #{unsafe_method}(*args)
++          super.to_str
++        end
++
++        def #{unsafe_method}!(*args)
++          raise TypeError, "Cannot modify SafeBuffer in place"
++        end
++      EOT
++    end
+   end
+ end
+ 
+--- test/safe_buffer_test.rb
++++ test/safe_buffer_test.rb
+@@ -38,4 +38,16 @@ class SafeBufferTest < ActiveSupport::TestCase
+     new_buffer = @buffer.to_s
+     assert_equal ActiveSupport::SafeBuffer, new_buffer.class
+   end
++
++  test "Should not return safe buffer from gsub" do
++    altered_buffer = @buffer.gsub('', 'asdf')
++    assert_equal 'asdf', altered_buffer
++    assert !altered_buffer.html_safe?
++  end
++
++  test "Should not allow gsub! on safe buffers" do
++    assert_raise TypeError do
++      @buffer.gsub!('', 'asdf')
++    end
++  end
+ end
diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec
index b499bd7..e69b3aa 100644
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@@ -31,6 +31,11 @@ Patch1: activesupport-tests-fix.patch
 # is in Fedora http://bugzilla.redhat.com/show_bug.cgi?id=668822
 Patch2: activesupport-remove-memcache-build-dep.patch
 
+# CVE-2011-2197
+# http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
+# FIX: https://gist.github.com/b2ceb626fc2bcdfe497f
+Patch3: cve-2011-2197-fix.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: rubygems
 Requires: ruby(abi) = %{rubyabi}
@@ -53,7 +58,7 @@ goodies from the Rails framework
 %setup -q -c -T
 mkdir -p .%{gemdir}
 gem install --local --install-dir .%{gemdir} \
-            --force -V --rdoc %{SOURCE0}
+            --force -V --no-ri --no-rdoc %{SOURCE0}
 
 # move the tests into place
 tar xzvf %{SOURCE2} -C .%{geminstdir}
@@ -62,6 +67,7 @@ tar xzvf %{SOURCE2} -C .%{geminstdir}
 pushd .%{geminstdir}
 %patch1 -p0
 %patch2 -p0
+%patch3 -p0
 
 %build
 
