rpms/rubygem-actionpack/F-12 rubygem-actionpack-2.3.x-CVE-2009-4214.patch, NONE, 1.1 rubygem-actionpack.spec, 1.14, 1.15
David Lutterkort
lutter at fedoraproject.org
Fri Dec 11 00:09:36 UTC 2009
Author: lutter
Update of /cvs/pkgs/rpms/rubygem-actionpack/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4388
Modified Files:
rubygem-actionpack.spec
Added Files:
rubygem-actionpack-2.3.x-CVE-2009-4214.patch
Log Message:
Patch for CVE-2009-4214 (bz 542786)
rubygem-actionpack-2.3.x-CVE-2009-4214.patch:
lib/action_controller/vendor/html-scanner/html/node.rb | 2 +-
test/controller/html-scanner/sanitizer_test.rb | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE rubygem-actionpack-2.3.x-CVE-2009-4214.patch ---
>From bfe032858077bb2946abe25e95e485ba6da86bd5 Mon Sep 17 00:00:00 2001
From: Gabe da Silveira <gabe at websaviour.com>
Date: Mon, 16 Nov 2009 21:17:35 -0800
Subject: [PATCH] Make sure strip_tags removes tags which start with a non-printable character
Signed-off-by: Michael Koziarski <michael at koziarski.com>
---
.../vendor/html-scanner/html/node.rb | 2 +-
.../test/controller/html-scanner/sanitizer_test.rb | 1 +
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
index 6c03316..0cd05d8 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
@@ -162,7 +162,7 @@ module HTML #:nodoc:
end
closing = ( scanner.scan(/\//) ? :close : nil )
- return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+ return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
name.downcase!
unless closing
diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb
index e85a5c7..1923544 100644
--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -19,6 +19,7 @@ class SanitizerTest < ActionController::TestCase
assert_equal "This has a here.", sanitizer.sanitize("This has a <!-- comment --> here.")
assert_equal "This has a here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
+ assert_equal "non printable char is a tag", sanitizer.sanitize("<\x07a href='/hello'>non printable char is a tag</a>")
[nil, '', ' '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
end
--
1.6.0.1
Index: rubygem-actionpack.spec
===================================================================
RCS file: /cvs/pkgs/rpms/rubygem-actionpack/F-12/rubygem-actionpack.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -p -r1.14 -r1.15
--- rubygem-actionpack.spec 7 Oct 2009 23:12:56 -0000 1.14
+++ rubygem-actionpack.spec 11 Dec 2009 00:09:35 -0000 1.15
@@ -10,12 +10,13 @@ Summary: Web-flow and rendering framewor
Name: rubygem-%{gemname}
Epoch: 1
Version: 2.3.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.gem
Patch0: rubygem-actionpack-2.3.4-enable-test.patch
+Patch1: rubygem-actionpack-2.3.x-CVE-2009-4214.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
@@ -45,6 +46,7 @@ gem install --local --install-dir .%{gem
pushd .%{geminstdir}
%patch0 -p0
+%patch1 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -110,6 +112,9 @@ rake test --trace
%changelog
+* Thu Dec 10 2009 David Lutterkort <lutter at redhat.com> - 1:2.3.4-3
+- Patch for CVE-2009-4214 (bz 542786)
+
* Wed Oct 7 2009 David Lutterkort <lutter at redhat.com> - 1:2.3.4-2
- Bump Epoch to ensure upgrade path from F-11
More information about the scm-commits
mailing list