[perl-Mojolicious/f14/master] Attempt at CVE-2011-1841(#701719)

Yanko Kaneti yaneti at fedoraproject.org
Tue May 3 17:46:07 UTC 2011 

commit 864a97192521adddc4a9586d382da4c602e2fc07
Author: Yanko Kaneti <yaneti at declera.com>
Date:   Tue May 3 20:46:04 2011 +0300

    Attempt at CVE-2011-1841(#701719)

 perl-Mojolicious-security-CVE-2011-1841.patch |   14 ++++++++++++++
 perl-Mojolicious.spec                         |    7 ++++++-
 2 files changed, 20 insertions(+), 1 deletions(-)
---
diff --git a/perl-Mojolicious-security-CVE-2011-1841.patch b/perl-Mojolicious-security-CVE-2011-1841.patch
new file mode 100644
index 0000000..38b8dcd
--- /dev/null
+++ b/perl-Mojolicious-security-CVE-2011-1841.patch
@@ -0,0 +1,14 @@
+Only in Mojolicious-0.999925.xss: Changes.orig
+Only in Mojolicious-0.999925.xss: Changes.rej
+diff -ur Mojolicious-0.999925/lib/Mojolicious/Plugin/TagHelpers.pm Mojolicious-0.999925.xss/lib/Mojolicious/Plugin/TagHelpers.pm
+--- Mojolicious-0.999925/lib/Mojolicious/Plugin/TagHelpers.pm	2010-05-25 19:21:45.000000000 +0300
++++ Mojolicious-0.999925.xss/lib/Mojolicious/Plugin/TagHelpers.pm	2011-05-03 20:18:35.768803106 +0300
+@@ -73,7 +73,7 @@
+             my $captures = ref $_[0] eq 'HASH' ? shift : {};
+ 
+             # Default content
+-            push @_, sub { ucfirst $name }
++            push @_, sub { $name = Mojo::ByteStream->new($name)->xml_escape->to_string; ucfirst $name }
+               unless defined $_[-1] && ref $_[-1] eq 'CODE';
+ 
+             $self->_tag('a', href => $c->url_for($name, $captures), @_);
diff --git a/perl-Mojolicious.spec b/perl-Mojolicious.spec
index 6ef4906..90dc89f 100644
--- a/perl-Mojolicious.spec
+++ b/perl-Mojolicious.spec
@@ -1,12 +1,13 @@
 Name:           perl-Mojolicious
 Version:        0.999929
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A next generation web framework for Perl
 License:        Artistic 2.0
 Group:          Development/Libraries
 URL:            http://mojolicious.org/
 Source0:        http://www.cpan.org/authors/id/K/KR/KRAIH/Mojolicious-%{version}.tar.gz
 Patch0:         perl-Mojolicious-security-bug697230.patch
+Patch1:         perl-Mojolicious-security-CVE-2011-1841.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 BuildRequires:  perl >= 0:5.008007
@@ -27,6 +28,7 @@ a new attempt at implementing this idea using state of the art technology.
 %prep
 %setup -q -n Mojolicious-%{version}
 %patch0 -p1 -b .bug697230
+%patch1 -p1 -b .CVE-2011-1841
 
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -58,6 +60,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man3/*
 
 %changelog
+* Tue May  3 2011 Yanko Kaneti <yaneti at declera.com> 0.999929-3
+- Attempt at CVE-2011-1841(#701719)
+
 * Sun Apr 17 2011 Yanko Kaneti <yaneti at declera.com> 0.999929-2
 - Security bugfix attempt.

More information about the scm-commits mailing list