[rubygem-actionpack/f15] fix for cve-2011-2197
Mohammed Morsi
mmorsi at fedoraproject.org
Thu Jun 23 20:15:08 UTC 2011
commit f52b8f4fa30f6e83a3bffd92c89577ce4f49c029
Author: Mo Morsi <mmorsi at redhat.com>
Date: Thu Jun 23 16:13:19 2011 -0400
fix for cve-2011-2197
cve-2011-2197-actionpack-fix.patch | 252 ++++++++++++++++++++++++++++++++++++
rubygem-actionpack.spec | 13 ++-
sources | 2 +-
3 files changed, 265 insertions(+), 2 deletions(-)
---
diff --git a/cve-2011-2197-actionpack-fix.patch b/cve-2011-2197-actionpack-fix.patch
new file mode 100644
index 0000000..1690399
--- /dev/null
+++ b/cve-2011-2197-actionpack-fix.patch
@@ -0,0 +1,252 @@
+--- lib/action_view/helpers/text_helper.rb.orig 2011-06-16 21:02:32.000000000 -0400
++++ lib/action_view/helpers/text_helper.rb 2011-06-16 21:07:58.000000000 -0400
+@@ -115,13 +115,12 @@ module ActionView
+ end
+ options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>')
+
+- text = sanitize(text) unless options[:sanitize] == false
+- if text.blank? || phrases.blank?
+- text
+- else
++ if text.present? && phrases.present?
+ match = Array(phrases).map { |p| Regexp.escape(p) }.join('|')
+- text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
+- end.html_safe
++ text = text.to_str.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
++ end
++ text = sanitize(text) unless options[:sanitize] == false
++ text
+ end
+
+ # Extracts an excerpt from +text+ that matches the first instance of +phrase+.
+@@ -251,14 +250,16 @@ module ActionView
+ # simple_format("Look ma! A class!", :class => 'description')
+ # # => "<p class='description'>Look ma! A class!</p>"
+ def simple_format(text, html_options={}, options={})
+- text = ''.html_safe if text.nil?
++ text = text ? text.to_str : ''
++ text = text.dup if text.frozen?
+ start_tag = tag('p', html_options, true)
+- text = sanitize(text) unless options[:sanitize] == false
+ text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
+ text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
+ text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
+ text.insert 0, start_tag
+- text.html_safe.safe_concat("</p>")
++ text.concat("</p>")
++ text = sanitize(text) unless options[:sanitize] == false
++ text
+ end
+
+ # Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option
+@@ -477,7 +478,7 @@ module ActionView
+ # is yielded and the result is used as the link text.
+ def auto_link_urls(text, html_options = {}, options = {})
+ link_attributes = html_options.stringify_keys
+- text.gsub(AUTO_LINK_RE) do
++ text.to_str.gsub(AUTO_LINK_RE) do
+ scheme, href = $1, $&
+ punctuation = []
+
+@@ -494,14 +495,12 @@ module ActionView
+ end
+ end
+
+- link_text = block_given?? yield(href) : href
++ link_text = block_given? ? yield(href) : href
+ href = 'http://' + href unless scheme
+
+- unless options[:sanitize] == false
+- link_text = sanitize(link_text)
+- href = sanitize(href)
+- end
+- content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
++ sanitize = options[:sanitize] != false
++ content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('')
++
+ end
+ end.html_safe
+ end
+@@ -509,18 +508,14 @@ module ActionView
+ # Turns all email addresses into clickable links. If a block is given,
+ # each email is yielded and the result is used as the link text.
+ def auto_link_email_addresses(text, html_options = {}, options = {})
+- text.gsub(AUTO_EMAIL_RE) do
++ text.to_str.gsub(AUTO_EMAIL_RE) do
+ text = $&
+
+ if auto_linked?($`, $')
+ text.html_safe
+ else
+- display_text = (block_given?) ? yield(text) : text
+-
+- unless options[:sanitize] == false
+- text = sanitize(text)
+- display_text = sanitize(display_text) unless text == display_text
+- end
++ display_text = block_given? ? yield(text) : text
++ display_text = sanitize(display_text) unless options[:sanitize] == false
+ mail_to text, display_text, html_options
+ end
+ end
+--- test/template/text_helper_test.rb.orig 2011-06-16 21:03:06.000000000 -0400
++++ test/template/text_helper_test.rb 2011-06-16 21:10:53.000000000 -0400
+@@ -48,6 +48,11 @@ class TextHelperTest < ActionView::TestC
+ assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false)
+ end
+
++ def test_simple_format_should_not_be_html_safe_when_sanitize_option_is_false
++ assert !simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false).html_safe?
++ end
++
++
+ def test_truncate_should_not_be_html_safe
+ assert !truncate("Hello World!", :length => 12).html_safe?
+ end
+@@ -166,6 +171,13 @@ class TextHelperTest < ActionView::TestC
+ )
+ end
+
++ def test_highlight_on_an_html_safe_string
++ assert_equal(
++ "<p>This is a <b>beautiful</b> morning, but also a <b>beautiful</b> day</p>",
++ highlight("<p>This is a beautiful morning, but also a beautiful day</p>".html_safe, "beautiful", :highlighter => '<b>\1</b>')
++ )
++ end
++
+ def test_highlight_with_html
+ assert_equal(
+ "<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
+@@ -306,13 +318,10 @@ class TextHelperTest < ActionView::TestC
+ end
+ end
+
+- def generate_result(link_text, href = nil, escape = false)
+- href ||= link_text
+- if escape
+- %{<a href="#{CGI::escapeHTML href}">#{CGI::escapeHTML link_text}</a>}
+- else
+- %{<a href="#{href}">#{link_text}</a>}
+- end
++ def generate_result(link_text, href = nil)
++ href = CGI::escapeHTML(href || link_text)
++ text = CGI::escapeHTML(link_text)
++ %{<a href="#{href}">#{text}</a>}
+ end
+
+ def test_auto_link_should_be_html_safe
+@@ -323,6 +332,8 @@ class TextHelperTest < ActionView::TestC
+ assert auto_link('').html_safe?
+ assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
+ assert auto_link("hello #{email_raw}").html_safe?
++ assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe'
++ assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe'
+ end
+
+ def test_auto_link
+@@ -419,7 +430,7 @@ class TextHelperTest < ActionView::TestC
+
+ def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false
+ link_raw = %{http://www.rubyonrails.com?id=1&num=2}
+- assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw)
++ assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw)
+ end
+
+ def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false
+--- test/abstract_unit.rb.orig 2011-06-17 07:51:44.000000000 -0400
++++ test/abstract_unit.rb 2011-06-16 22:41:52.000000000 -0400
+@@ -169,6 +169,7 @@ class BasicController
+ config.assets_dir = public_dir
+ config.javascripts_dir = "#{public_dir}/javascripts"
+ config.stylesheets_dir = "#{public_dir}/stylesheets"
++ config.assets = ActiveSupport::InheritableOptions.new({ :prefix => "assets" })
+ config
+ end
+ end
+--- lib/action_view/helpers/url_helper.rb.orig 2011-06-16 22:39:58.000000000 -0400
++++ lib/action_view/helpers/url_helper.rb 2011-06-16 22:40:35.000000000 -0400
+@@ -483,7 +483,7 @@ module ActionView
+ extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil?
+ extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
+
+- email_address_obfuscated = email_address.dup
++ email_address_obfuscated = email_address.to_str
+ email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at")
+ email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
+
+@@ -491,7 +491,7 @@ module ActionView
+
+ if encode == "javascript"
+ html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
+- html = escape_javascript(html)
++ html = escape_javascript(html.to_str)
+ "document.write('#{html}');".each_byte do |c|
+ string << sprintf("%%%x", c)
+ end
+--- lib/action_view/helpers/cache_helper.rb.orig 2011-06-16 22:38:31.000000000 -0400
++++ lib/action_view/helpers/cache_helper.rb 2011-06-16 22:39:35.000000000 -0400
+@@ -53,7 +53,13 @@ module ActionView
+ # This dance is needed because Builder can't use capture
+ pos = output_buffer.length
+ yield
+- fragment = output_buffer.slice!(pos..-1)
++ if output_buffer.is_a?(ActionView::OutputBuffer)
++ safe_output_buffer = output_buffer.to_str
++ fragment = safe_output_buffer.slice!(pos..-1)
++ self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer)
++ else
++ fragment = output_buffer.slice!(pos..-1)
++ end
+ controller.write_fragment(name, fragment, options)
+ end
+ end
+--- test/template/text_helper_test.rb.orig 2011-06-17 08:28:21.000000000 -0400
++++ test/template/text_helper_test.rb 2011-06-17 08:30:42.000000000 -0400
+@@ -324,16 +324,20 @@ class TextHelperTest < ActionView::TestC
+ %{<a href="#{href}">#{text}</a>}
+ end
+
+- def test_auto_link_should_be_html_safe
++ def test_auto_link_should_no_be_html_safe
+ email_raw = 'santiago at wyeworks.com'
+ link_raw = 'http://www.rubyonrails.org'
+
+- assert auto_link(nil).html_safe?
+- assert auto_link('').html_safe?
+- assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
+- assert auto_link("hello #{email_raw}").html_safe?
+- assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe'
+- assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe'
++ assert !auto_link(nil).html_safe?, 'should not be html safe'
++ assert !auto_link('').html_safe?, 'should not be html safe'
++ assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe'
++ assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe'
++ end
++
++ def test_auto_link_email_address
++ email_raw = 'aaron at tenderlovemaking.com'
++ email_result = %{<a href="mailto:#{email_raw}">#{email_raw}</a>}
++ assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe'
+ end
+
+ def test_auto_link
+--- lib/action_view/helpers/text_helper.rb.orig 2011-06-17 08:29:06.000000000 -0400
++++ lib/action_view/helpers/text_helper.rb 2011-06-17 08:29:25.000000000 -0400
+@@ -300,7 +300,7 @@ module ActionView
+ # # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>.
+ # Please e-mail me at <a href=\"mailto:me at email.com\">me at email.com</a>."
+ def auto_link(text, *args, &block)#link = :all, html = {}, &block)
+- return ''.html_safe if text.blank?
++ return '' if text.blank?
+
+ options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter
+ unless args.empty?
+@@ -502,7 +502,7 @@ module ActionView
+ content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('')
+
+ end
+- end.html_safe
++ end
+ end
+
+ # Turns all email addresses into clickable links. If a block is given,
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 00766a1..20d8077 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Epoch: 1
Version: 3.0.5
-Release: 1%{?dist}
+Release: 3%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -40,6 +40,13 @@ Patch3: actionpack-downgrade-dependencies.patch
Patch4: actionpack-add-rack-mount-deps.patch
+# CVE-2011-2197
+# http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
+# FIXES: https://gist.github.com/b2ceb626fc2bcdfe497f
+# https://github.com/rails/rails/commit/c6503f48bd13c696fcc81f2a4a87b8cd7c009657
+# https://github.com/rails/rails/commit/2e757bc298cef715e5c56945161bbd84f2610729
+Patch5: cve-2011-2197-actionpack-fix.patch
+
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -97,6 +104,7 @@ pushd .%{geminstdir}
%patch0 -p0
%patch1 -p0
%patch2 -p0
+%patch5 -p0
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -168,6 +176,9 @@ rake test --trace
%changelog
+* Thu Jun 16 2011 Mo Morsi <mmorsi at redhat.com> - 1:3.0.5-3
+- Include fix for CVE-2011-2197
+
* Fri Mar 25 2011 Vít Ondruch <vondruch at redhat.com> - 1:3.0.5-1
- Updated to ActionPack 3.0.5
diff --git a/sources b/sources
index 2bc6203..a30a738 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
af25980a393ab111f9fcef3d65f73c89 actionpack-3.0.5.gem
-00cb87071ba9ad6de3327a347b22e836 actionpack-tests.tgz
+a47bc0fc9767db45f37676c39ea0e49c actionpack-tests.tgz
More information about the scm-commits
mailing list