[rubygem-actionpack/f13/master] Fixed CVE-2011-0446.
Vít Ondruch
vondruch at fedoraproject.org
Thu Feb 24 13:06:18 UTC 2011
commit 6c4e3eed8f64ffa0747c436bb3e60b0f405563fe
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Feb 24 13:50:30 2011 +0100
Fixed CVE-2011-0446.
CVE-2011-0446.patch | 57 +++++++++++++++++++++++++++++++++++++++++++++++
rubygem-actionpack.spec | 8 +++++-
2 files changed, 64 insertions(+), 1 deletions(-)
---
diff --git a/CVE-2011-0446.patch b/CVE-2011-0446.patch
new file mode 100644
index 0000000..486c359
--- /dev/null
+++ b/CVE-2011-0446.patch
@@ -0,0 +1,57 @@
+From 349725b1759b110256b54b45080b6986b471080a Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Wed, 8 Dec 2010 13:46:37 +1300
+Subject: [PATCH 1/2] Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors.
+
+This fixes CVE-2011-0446
+---
+ actionpack/lib/action_view/helpers/url_helper.rb | 3 ++-
+ actionpack/test/template/url_helper_test.rb | 8 ++++----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
+index 74cb448..8654adb 100644
+--- a/actionpack/lib/action_view/helpers/url_helper.rb
++++ b/actionpack/lib/action_view/helpers/url_helper.rb
+@@ -473,7 +473,8 @@ module ActionView
+ email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
+
+ if encode == "javascript"
+- "document.write('#{content_tag("a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:"+email_address+extras }))}');".each_byte do |c|
++ html = content_tag("a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:"+html_escape(email_address)+extras }))
++ "document.write('#{escape_javascript(html)}');".each_byte do |c|
+ string << sprintf("%%%x", c)
+ end
+ "<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>"
+diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
+index 9d541fc..480624f 100644
+--- a/actionpack/test/template/url_helper_test.rb
++++ b/actionpack/test/template/url_helper_test.rb
+@@ -329,11 +329,11 @@ class UrlHelperTest < ActionView::TestCase
+ end
+
+ def test_mail_to_with_javascript
+- assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me at domain.com", "My email", :encode => "javascript")
++ assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%4d%79%20%65%6d%61%69%6c%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me at domain.com", "My email", :encode => "javascript")
+ end
+
+ def test_mail_to_with_javascript_unicode
+- assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%75%6e%69%63%6f%64%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%22%3e%c3%ba%6e%69%63%6f%64%65%3c%2f%61%3e%27%29%3b'))</script>", mail_to("unicode at example.com", "únicode", :encode => "javascript")
++ assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%75%6e%69%63%6f%64%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%5c%22%3e%c3%ba%6e%69%63%6f%64%65%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("unicode at example.com", "únicode", :encode => "javascript")
+ end
+
+ def test_mail_with_options
+@@ -357,8 +357,8 @@ class UrlHelperTest < ActionView::TestCase
+ assert_dom_equal "<a href=\"mailto:%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">me(at)domain.com</a>", mail_to("me at domain.com", nil, :encode => "hex", :replace_at => "(at)")
+ assert_dom_equal "<a href=\"mailto:%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">My email</a>", mail_to("me at domain.com", "My email", :encode => "hex", :replace_at => "(at)")
+ assert_dom_equal "<a href=\"mailto:%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">me(at)domain(dot)com</a>", mail_to("me at domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)")
+- assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me at domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
+- assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%6d%65%28%61%74%29%64%6f%6d%61%69%6e%28%64%6f%74%29%63%6f%6d%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me at domain.com", nil, :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
++ assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%4d%79%20%65%6d%61%69%6c%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me at domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
++ assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%6d%65%28%61%74%29%64%6f%6d%61%69%6e%28%64%6f%74%29%63%6f%6d%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me at domain.com", nil, :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
+ end
+
+ def protect_against_forgery?
+--
+1.7.2
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index a5167da..25198ad 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -10,7 +10,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Epoch: 1
Version: 2.3.5
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -20,6 +20,8 @@ Patch0: rubygem-actionpack-2.3.4-enable-test.patch
# Please someone fix the following Patch2!! (mtasaka)
#
Patch2: rubygem-actionpack-2.3.5-rack-compat.patch
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
+Patch3: CVE-2011-0446.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
@@ -54,6 +56,7 @@ sed -i -e '/rack/s|~>|>=|' \
pushd .%{geminstdir}
%patch0 -p0
%patch2 -p0
+%patch3 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -124,6 +127,9 @@ rake test --trace
%changelog
+* Thu Feb 24 2011 Vít Ondruch <vondruch at redhat.com> - 1:2.3.5-4
+- Fixed CVE-2011-0446
+
* Wed Sep 15 2010 Mohammed Morsi <mmorsi at redhat.com> - 1:2.3.5-3
- additional rack compat fix (in patch2)
- https://bugzilla.redhat.com/show_bug.cgi?id=617803
More information about the scm-commits
mailing list