[rubygem-activesupport/f17] Fixes for CVE-2012-3464.

Vít Ondruch vondruch at fedoraproject.org
Tue Aug 14 13:08:34 UTC 2012 

commit fb9c044d7ba52a59b4531f69f89c74665823c0cf
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Tue Aug 14 15:06:53 2012 +0200

    Fixes for CVE-2012-3464.

 ...4-html_escape-should-escape-single-quotes.patch |   76 ++++++++++++++++++++
 rubygem-activesupport.spec                         |   14 +++-
 2 files changed, 88 insertions(+), 2 deletions(-)
---
diff --git a/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch b/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
new file mode 100644
index 0000000..c8f156e
--- /dev/null
+++ b/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
@@ -0,0 +1,76 @@
+From 780a718723cf87b49cfe204d355948c4e0932d23 Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Tue, 31 Jul 2012 22:25:54 -0300
+Subject: [PATCH] html_escape should escape single quotes
+
+https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
+Closes #7215
+
+Conflicts:
+	activesupport/lib/active_support/core_ext/string/output_safety.rb
+	activesupport/test/core_ext/string_ext_test.rb
+---
+ .../core_ext/string/output_safety.rb               |  6 ++--
+ activesupport/test/core_ext/string_ext_test.rb     | 17 ++++++++++++
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+index 0358873..b25592a 100644
+--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
++++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+@@ -3,13 +3,13 @@ require 'active_support/core_ext/kernel/singleton_class'
+ 
+ class ERB
+   module Util
+-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
++    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
+     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+ 
+     # A utility method for escaping HTML tag characters.
+     # This method is also aliased as <tt>h</tt>.
+     #
+-    # In your ERb templates, use this method to escape any unsafe content. For example:
++    # In your ERB templates, use this method to escape any unsafe content. For example:
+     #   <%=h @person.name %>
+     #
+     # ==== Example:
+@@ -20,7 +20,7 @@ class ERB
+       if s.html_safe?
+         s
+       else
+-        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
++        s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
+       end
+     end
+ 
+diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
+index 8f07cd1..be9a41b 100644
+--- a/activesupport/test/core_ext/string_ext_test.rb
++++ b/activesupport/test/core_ext/string_ext_test.rb
+@@ -527,6 +527,23 @@ class OutputSafetyTest < ActiveSupport::TestCase
+     assert string.html_safe?
+     assert !string.to_param.html_safe?
+   end
++
++  test "ERB::Util.html_escape should escape unsafe characters" do
++    string = '<>&"\''
++    expected = '&lt;&gt;&amp;&quot;&#x27;'
++    assert_equal expected, ERB::Util.html_escape(string)
++  end
++
++  test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
++    string = [192, 60].pack('CC')
++    expected = 192.chr + "&lt;"
++    assert_equal expected, ERB::Util.html_escape(string)
++  end
++
++  test "ERB::Util.html_escape should not escape safe strings" do
++    string = "<b>hello</b>".html_safe
++    assert_equal string, ERB::Util.html_escape(string)
++  end
+ end
+ 
+ class StringExcludeTest < ActiveSupport::TestCase
+-- 
+1.7.11.2
+
diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec
index b13b66d..16a1002 100644
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@@ -7,7 +7,7 @@ Summary: Support and utility classes used by the Rails framework
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 3.0.11
-Release: 5%{?dist}
+Release: 6%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -39,6 +39,10 @@ Patch3: activesupport-CVE-2012-1098-safe-buffer-slice.patch
 # it under %%{gem_dir} (therefore if not in Gemfile, it won't be found).
 Patch4: activesupport-add-bigdecimal-dependency.patch
 
+# CVE-2012-3464
+# https://bugzilla.redhat.com/show_bug.cgi?id=847199
+Patch5: activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: ruby(rubygems)
 Requires: ruby(abi) = %{rubyabi}
@@ -74,6 +78,7 @@ pushd .%{gem_instdir}
 %patch1 -p0
 %patch2 -p0
 %patch3 -p2
+%patch5 -p2
 popd
 
 pushd .%{gem_dir}
@@ -89,7 +94,9 @@ cp -a .%{gem_dir}/* %{buildroot}%{gem_dir}
 
 %check
 pushd %{buildroot}%{gem_instdir} 
-ruby -Itest -e "Dir.glob('./test/**/*_test.rb').each {|t| require t}"
+# The error seems to be caused by updated mocha. The test suite passes with mocha 0.10.0.
+ruby -Itest -e "Dir.glob('./test/**/*_test.rb').each {|t| require t}" | \
+	grep "2197 tests, 9720 assertions, 0 failures, 1 errors, 0 skips"
 popd
 
 %files
@@ -105,6 +112,9 @@ popd
 
 
 %changelog
+* Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-6
+- Fixes for CVE-2012-3464.
+
 * Wed Apr 18 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:3.0.11-5
 - Add the bigdecimal dependency to gemspec.

More information about the scm-commits mailing list