[rubygem-actionpack/f17] Fixes for CVE-2012-3463, CVE-2012-3464 and CVE-2012-3465.
Vít Ondruch
vondruch at fedoraproject.org
Tue Aug 14 14:30:04 UTC 2012
commit 1123d3071331cc86d66483c2d093593d4774daee
Author: Vít Ondruch <vondruch at redhat.com>
Date: Tue Aug 14 16:27:33 2012 +0200
Fixes for CVE-2012-3463, CVE-2012-3464 and CVE-2012-3465.
...2012-3463-escape-select_tag-prompt-values.patch | 29 ++
...464-Fix-tests-about-single-quote-escaping.patch | 58 +++++
...4-html_escape-should-escape-single-quotes.patch | 271 ++++++++++++++++++++
...o-not-mark-strip_tags-result-as-html_safe.patch | 45 ++++
rubygem-actionpack.spec | 22 ++-
5 files changed, 424 insertions(+), 1 deletions(-)
---
diff --git a/actionpack-3.0.17-CVE-2012-3463-escape-select_tag-prompt-values.patch b/actionpack-3.0.17-CVE-2012-3463-escape-select_tag-prompt-values.patch
new file mode 100644
index 0000000..8a35e73
--- /dev/null
+++ b/actionpack-3.0.17-CVE-2012-3463-escape-select_tag-prompt-values.patch
@@ -0,0 +1,29 @@
+From c9795871baacbe85ed4f19c2b830006fc6faeffd Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Wed, 8 Aug 2012 15:20:47 -0700
+Subject: [PATCH] escape select_tag :prompt values
+
+CVE-2012-3463
+---
+ actionpack/lib/action_view/helpers/form_tag_helper.rb | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
+index 4b808ad..bb5071c 100644
+--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
++++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
+@@ -100,9 +100,9 @@ module ActionView
+ html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
+ if blank = options.delete(:include_blank)
+ if blank.kind_of?(String)
+- option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
++ option_tags = content_tag(:option, blank, :value => '').safe_concat(option_tags)
+ else
+- option_tags = "<option value=\"\"></option>".html_safe + option_tags
++ option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
+ end
+ end
+ content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
+--
+1.7.11.2
+
diff --git a/actionpack-3.0.17-CVE-2012-3464-Fix-tests-about-single-quote-escaping.patch b/actionpack-3.0.17-CVE-2012-3464-Fix-tests-about-single-quote-escaping.patch
new file mode 100644
index 0000000..c4c1023
--- /dev/null
+++ b/actionpack-3.0.17-CVE-2012-3464-Fix-tests-about-single-quote-escaping.patch
@@ -0,0 +1,58 @@
+From 9ef905f19807c62fb549ae6fe3784be4bcda96dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca at gmail.com>
+Date: Tue, 7 Aug 2012 22:38:40 -0300
+Subject: [PATCH] Fix tests about single quote escaping
+
+---
+ actionpack/test/template/asset_tag_helper_test.rb | 13 ++++++-------
+ actionpack/test/template/text_helper_test.rb | 2 +-
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/actionpack/test/template/asset_tag_helper_test.rb b/actionpack/test/template/asset_tag_helper_test.rb
+index 5f32244..63e10be 100644
+--- a/actionpack/test/template/asset_tag_helper_test.rb
++++ b/actionpack/test/template/asset_tag_helper_test.rb
+@@ -162,8 +162,7 @@ class AssetTagHelperTest < ActionView::TestCase
+ %(image_tag("//www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="//www.rubyonrails.com/images/rails.png" />),
+ %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
+ %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
+- %(image_tag("mouse.png", :alt => nil)) => %(<img src="/images/mouse.png" />),
+- %(image_tag("data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==", :alt => nil)) => %(<img src="data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" />),
++ %(image_tag("mouse.png", :alt => nil)) => %(<img src="/images/mouse.png" />)
+ }
+
+ FaviconLinkToTag = {
+@@ -1020,11 +1019,11 @@ class AssetTagHelperNonVhostTest < ActionView::TestCase
+ def test_should_compute_proper_path_with_asset_host
+ @controller.config.asset_host = "http://assets.example.com"
+ assert_dom_equal(%(<link href="http://www.example.com/collaboration/hieraki" rel="alternate" title="RSS" type="application/rss+xml" />), auto_discovery_link_tag)
+- assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
+- assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
+- assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
+- assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+- assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
++ assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
++ assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
++ assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
++ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
++ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ end
+
+ def test_should_compute_proper_path_with_asset_host_and_default_protocol
+diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
+index 9795a3f..acd6097 100644
+--- a/actionpack/test/template/text_helper_test.rb
++++ b/actionpack/test/template/text_helper_test.rb
+@@ -305,7 +305,7 @@ class TextHelperTest < ActionView::TestCase
+ http://en.wikipedia.org/wiki/Wikipedia:Today%27s_featured_picture_%28animation%29/January_20%2C_2007
+ http://www.mail-archive.com/rails@lists.rubyonrails.org/
+ http://www.amazon.com/Testing-Equal-Sign-In-Path/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1198861734&sr=8-1
+- http://en.wikipedia.org/wiki/Texas_hold'em
++ http://en.wikipedia.org/wiki/Texas_hold
+ https://www.google.com/doku.php?id=gps:resource:scs:start
+ http://connect.oraclecorp.com/search?search[q]=green+france&search[type]=Group
+ http://of.openfoundry.org/projects/492/download#4th.Release.3
+--
+1.7.11.2
+
diff --git a/actionpack-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch b/actionpack-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
new file mode 100644
index 0000000..5760d93
--- /dev/null
+++ b/actionpack-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
@@ -0,0 +1,271 @@
+From 780a718723cf87b49cfe204d355948c4e0932d23 Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Tue, 31 Jul 2012 22:25:54 -0300
+Subject: [PATCH] html_escape should escape single quotes
+
+https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
+Closes #7215
+
+Conflicts:
+ actionpack/test/controller/new_base/render_template_test.rb
+ actionpack/test/template/asset_tag_helper_test.rb
+ actionpack/test/template/erb_util_test.rb
+ actionpack/test/template/javascript_helper_test.rb
+ actionpack/test/template/template_test.rb
+ activesupport/lib/active_support/core_ext/string/output_safety.rb
+ activesupport/test/core_ext/string_ext_test.rb
+ railties/test/application/assets_test.rb
+---
+ actionpack/test/controller/render_test.rb | 4 +--
+ actionpack/test/template/asset_tag_helper_test.rb | 32 +++++++++++++++-------
+ actionpack/test/template/erb_util_test.rb | 10 +++----
+ .../test/template/form_options_helper_test.rb | 6 ++--
+ actionpack/test/template/form_tag_helper_test.rb | 2 +-
+ actionpack/test/template/javascript_helper_test.rb | 10 +++----
+ actionpack/test/template/template_test.rb | 2 +-
+ actionpack/test/template/url_helper_test.rb | 10 +++----
+ 8 files changed, 44 insertions(+), 33 deletions(-)
+
+diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
+index 498931e..4d2a49d 100644
+--- a/actionpack/test/controller/render_test.rb
++++ b/actionpack/test/controller/render_test.rb
+@@ -149,7 +149,7 @@ class TestController < ActionController::Base
+
+ # :ported:
+ def render_text_hello_world_with_layout
+- @variable_for_layout = ", I'm here!"
++ @variable_for_layout = ", I am here!"
+ render :text => "hello world", :layout => true
+ end
+
+@@ -776,7 +776,7 @@ class RenderTest < ActionController::TestCase
+ # :ported:
+ def test_do_with_render_text_and_layout
+ get :render_text_hello_world_with_layout
+- assert_equal "<html>hello world, I'm here!</html>", @response.body
++ assert_equal "<html>hello world, I am here!</html>", @response.body
+ end
+
+ # :ported:
+diff --git a/actionpack/test/template/asset_tag_helper_test.rb b/actionpack/test/template/asset_tag_helper_test.rb
+index 18ef85d..5f32244 100644
+--- a/actionpack/test/template/asset_tag_helper_test.rb
++++ b/actionpack/test/template/asset_tag_helper_test.rb
+@@ -159,9 +159,11 @@ class AssetTagHelperTest < ActionView::TestCase
+ %(image_tag("slash..png")) => %(<img alt="Slash." src="/images/slash..png" />),
+ %(image_tag(".pdf.png")) => %(<img alt=".pdf" src="/images/.pdf.png" />),
+ %(image_tag("http://www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="http://www.rubyonrails.com/images/rails.png" />),
+- %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
+- %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
+- %(image_tag("mouse.png", :alt => nil)) => %(<img src="/images/mouse.png" />)
++ %(image_tag("//www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="//www.rubyonrails.com/images/rails.png" />),
++ %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
++ %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
++ %(image_tag("mouse.png", :alt => nil)) => %(<img src="/images/mouse.png" />),
++ %(image_tag("data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==", :alt => nil)) => %(<img src="data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" />),
+ }
+
+ FaviconLinkToTag = {
+@@ -1007,8 +1009,8 @@ class AssetTagHelperNonVhostTest < ActionView::TestCase
+ assert_dom_equal(%(/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
+ assert_dom_equal(%(/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
+ assert_dom_equal(%(/collaboration/hieraki/images/xml.png), image_path("xml.png"))
+- assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse.png'" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+- assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse2.png'" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
++ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse.png'" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
++ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse2.png'" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ end
+
+ def test_should_ignore_relative_root_path_on_complete_url
+@@ -1018,11 +1020,21 @@ class AssetTagHelperNonVhostTest < ActionView::TestCase
+ def test_should_compute_proper_path_with_asset_host
+ @controller.config.asset_host = "http://assets.example.com"
+ assert_dom_equal(%(<link href="http://www.example.com/collaboration/hieraki" rel="alternate" title="RSS" type="application/rss+xml" />), auto_discovery_link_tag)
+- assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
+- assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
+- assert_dom_equal(%(http://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
+- assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
+- assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='http://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='http://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="http://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
++ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
++ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
++ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
++ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
++ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
++ end
++
++ def test_should_compute_proper_path_with_asset_host_and_default_protocol
++ @controller.config.asset_host = "assets.example.com"
++ @controller.config.default_asset_host_protocol = :request
++ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
++ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
++ assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
++ assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
++ assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
+ end
+
+ def test_should_ignore_asset_host_on_complete_url
+diff --git a/actionpack/test/template/erb_util_test.rb b/actionpack/test/template/erb_util_test.rb
+index fc20b50..1fc4b84 100644
+--- a/actionpack/test/template/erb_util_test.rb
++++ b/actionpack/test/template/erb_util_test.rb
+@@ -7,11 +7,11 @@ class ErbUtilTest < Test::Unit::TestCase
+ define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
+ assert_equal expected, html_escape(given)
+ end
++ end
+
+- unless given == '"'
+- define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
+- assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
+- end
++ ERB::Util::JSON_ESCAPE.each do |given, expected|
++ define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
++ assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
+ end
+ end
+
+@@ -39,7 +39,7 @@ class ErbUtilTest < Test::Unit::TestCase
+
+ def test_rest_in_ascii
+ (0..127).to_a.map {|int| int.chr }.each do |chr|
+- next if %w(& " < >).include?(chr)
++ next if %w(& " < > ').include?(chr)
+ assert_equal chr, html_escape(chr)
+ end
+ end
+diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb
+index b85e917..9b6a8bf 100644
+--- a/actionpack/test/template/form_options_helper_test.rb
++++ b/actionpack/test/template/form_options_helper_test.rb
+@@ -887,7 +887,7 @@ class FormOptionsHelperTest < ActionView::TestCase
+
+ def test_options_for_select_with_element_attributes
+ assert_dom_equal(
+- "<option value=\"<Denmark>\" class=\"bold\"><Denmark></option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
++ "<option value=\"<Denmark>\" class=\"bold\"><Denmark></option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
+ options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
+ )
+ end
+@@ -923,14 +923,14 @@ class FormOptionsHelperTest < ActionView::TestCase
+ def test_option_html_attributes_with_multiple_element_hash
+ assert_dom_equal(
+- " class=\"fancy\" onclick=\"alert('Hello World');\"",
++ " class=\"fancy\" onclick=\"alert('Hello World');\"",
+ option_html_attributes([ 'foo', 'bar', { :class => 'fancy', 'onclick' => "alert('Hello World');" } ])
+ )
+ end
+
+ def test_option_html_attributes_with_multiple_hashes
+ assert_dom_equal(
+- " class=\"fancy\" onclick=\"alert('Hello World');\"",
++ " class=\"fancy\" onclick=\"alert('Hello World');\"",
+ option_html_attributes([ 'foo', 'bar', { :class => 'fancy' }, { 'onclick' => "alert('Hello World');" } ])
+ )
+ end
+
+diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
+index 532f086..3c94c7a 100644
+--- a/actionpack/test/template/form_tag_helper_test.rb
++++ b/actionpack/test/template/form_tag_helper_test.rb
+@@ -367,7 +367,7 @@ class FormTagHelperTest < ActionView::TestCase
+
+ def test_submit_tag
+ assert_dom_equal(
+- %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
++ %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
+ submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
+ )
+ end
+diff --git a/actionpack/test/template/javascript_helper_test.rb b/actionpack/test/template/javascript_helper_test.rb
+index ba9ab89..47109f4 100644
+--- a/actionpack/test/template/javascript_helper_test.rb
++++ b/actionpack/test/template/javascript_helper_test.rb
+@@ -41,7 +41,7 @@ class JavaScriptHelperTest < ActionView::TestCase
+ end
+
+ def test_button_to_function
+- assert_dom_equal %(<input type="button" onclick="alert('Hello world!');" value="Greeting" />),
++ assert_dom_equal %(<input type="button" onclick="alert('Hello world!');" value="Greeting" />),
+ button_to_function("Greeting", "alert('Hello world!')")
+ end
+
+@@ -60,7 +60,7 @@ class JavaScriptHelperTest < ActionView::TestCase
+ end
+
+ def test_button_to_function_with_onclick
+- assert_dom_equal "<input onclick=\"alert('Goodbye World :('); alert('Hello world!');\" type=\"button\" value=\"Greeting\" />",
++ assert_dom_equal "<input onclick=\"alert('Goodbye World :('); alert('Hello world!');\" type=\"button\" value=\"Greeting\" />",
+ button_to_function("Greeting", "alert('Hello world!')", :onclick => "alert('Goodbye World :(')")
+ end
+
+@@ -70,12 +70,12 @@ class JavaScriptHelperTest < ActionView::TestCase
+ end
+
+ def test_link_to_function
+- assert_dom_equal %(<a href="#" onclick="alert('Hello world!'); return false;">Greeting</a>),
++ assert_dom_equal %(<a href="#" onclick="alert('Hello world!'); return false;">Greeting</a>),
+ link_to_function("Greeting", "alert('Hello world!')")
+ end
+
+ def test_link_to_function_with_existing_onclick
+- assert_dom_equal %(<a href="#" onclick="confirm('Sanity!'); alert('Hello world!'); return false;">Greeting</a>),
++ assert_dom_equal %(<a href="#" onclick="confirm('Sanity!'); alert('Hello world!'); return false;">Greeting</a>),
+ link_to_function("Greeting", "alert('Hello world!')", :onclick => "confirm('Sanity!')")
+ end
+
+@@ -94,7 +94,7 @@ class JavaScriptHelperTest < ActionView::TestCase
+ end
+
+ def test_link_to_function_with_href
+- assert_dom_equal %(<a href="http://example.com/" onclick="alert('Hello world!'); return false;">Greeting</a>),
++ assert_dom_equal %(<a href="http://example.com/" onclick="alert('Hello world!'); return false;">Greeting</a>),
+ link_to_function("Greeting", "alert('Hello world!')", :href => 'http://example.com/')
+ end
+
+diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb
+index c37ed9c..8d766c6 100644
+--- a/actionpack/test/template/template_test.rb
++++ b/actionpack/test/template/template_test.rb
+@@ -50,7 +50,7 @@ class TestERBTemplate < ActiveSupport::TestCase
+
+ def test_locals
+ @template = new_template("<%= my_local %>")
+- assert_equal "I'm a local", render(:my_local => "I'm a local")
++ assert_equal "I am a local", render(:my_local => "I am a local")
+ end
+
+ def test_restores_buffer
+diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
+index f68af93..30e1269 100644
+--- a/actionpack/test/template/url_helper_test.rb
++++ b/actionpack/test/template/url_helper_test.rb
+@@ -188,7 +188,7 @@ class UrlHelperTest < ActiveSupport::TestCase
+
+ def test_link_tag_with_custom_onclick
+ link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
+- expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
++ expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
+ assert_dom_equal expected, link
+ end
+
+@@ -198,12 +198,12 @@ class UrlHelperTest < ActiveSupport::TestCase
+ link_to("Hello", "http://www.example.com", :confirm => "Are you sure?")
+ )
+ assert_dom_equal(
+- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
+- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?")
++ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
++ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?")
+ )
+ assert_dom_equal(
+- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
+- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?")
++ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
++ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?")
+ )
+ end
+
+--
+1.7.11.2
+
diff --git a/actionpack-3.0.17-CVE-2012-3465-Do-not-mark-strip_tags-result-as-html_safe.patch b/actionpack-3.0.17-CVE-2012-3465-Do-not-mark-strip_tags-result-as-html_safe.patch
new file mode 100644
index 0000000..f6e833a
--- /dev/null
+++ b/actionpack-3.0.17-CVE-2012-3465-Do-not-mark-strip_tags-result-as-html_safe.patch
@@ -0,0 +1,45 @@
+From 1151959f97eeece3c2ae43e26e10bd4c77cbd50c Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Wed, 8 Aug 2012 14:33:39 -0700
+Subject: [PATCH] Do not mark strip_tags result as html_safe
+
+Thanks to Marek Labos & Nethemba
+
+CVE-2012-3465
+---
+ actionpack/lib/action_view/helpers/sanitize_helper.rb | 2 +-
+ actionpack/test/template/sanitize_helper_test.rb | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb
+index 0fee34f..a08f5a0 100644
+--- a/actionpack/lib/action_view/helpers/sanitize_helper.rb
++++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb
+@@ -81,7 +81,7 @@ module ActionView
+ # strip_tags("<div id='top-bar'>Welcome to my website!</div>")
+ # # => Welcome to my website!
+ def strip_tags(html)
+- self.class.full_sanitizer.sanitize(html).try(:html_safe)
++ self.class.full_sanitizer.sanitize(html)
+ end
+
+ # Strips all link tags from +text+ leaving just the link text.
+diff --git a/actionpack/test/template/sanitize_helper_test.rb b/actionpack/test/template/sanitize_helper_test.rb
+index 222d4db..cc93b53 100644
+--- a/actionpack/test/template/sanitize_helper_test.rb
++++ b/actionpack/test/template/sanitize_helper_test.rb
+@@ -42,9 +42,9 @@ class SanitizeHelperTest < ActionView::TestCase
+ [nil, '', ' '].each do |blank|
+ stripped = strip_tags(blank)
+ assert_equal blank, stripped
+- assert stripped.html_safe? unless blank.nil?
+ end
+- assert strip_tags("<script>").html_safe?
++ assert_equal "", strip_tags("<script>")
++ assert_equal "something <img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
+ end
+
+ def test_sanitize_is_marked_safe
+--
+1.7.11.2
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index d7433a2..ab20945 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -7,7 +7,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.0.11
-Release: 6%{?dist}
+Release: 7%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -56,6 +56,19 @@ Patch7: atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-
# https://bugzilla.redhat.com/show_bug.cgi?id=843711
Patch8: actionpack-3.0.16-Do-not-convert-digest-auth-strings-to-symbols.-CVE-2.patch
+# CVE-2012-3463
+# https://bugzilla.redhat.com/show_bug.cgi?id=847196
+Patch9: actionpack-3.0.17-CVE-2012-3463-escape-select_tag-prompt-values.patch
+
+# CVE-2012-3464
+# https://bugzilla.redhat.com/show_bug.cgi?id=847199
+Patch10: actionpack-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
+Patch11: actionpack-3.0.17-CVE-2012-3464-Fix-tests-about-single-quote-escaping.patch
+
+# CVE-2012-3465
+# https://bugzilla.redhat.com/show_bug.cgi?id=847200
+Patch12: actionpack-3.0.17-CVE-2012-3465-Do-not-mark-strip_tags-result-as-html_safe.patch
+
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -119,6 +132,10 @@ pushd .%{gem_instdir}
%patch6 -p2
%patch7 -p2
%patch8 -p2
+%patch9 -p2
+%patch10 -p2
+%patch11 -p2
+%patch12 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -195,6 +212,9 @@ rake test --trace
%changelog
+* Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-7
+- Fixes for CVE-2012-3463, CVE-2012-3464 and CVE-2012-3465.
+
* Tue Jul 31 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-6
- Fix for CVE-2012-3424.
More information about the scm-commits
mailing list