[rubygem-activesupport/f16] Fixes for CVE-2012-3464.

Vít Ondruch vondruch at fedoraproject.org
Tue Aug 14 14:56:44 UTC 2012 

commit 64eec8683e30e3b41698031bf0e35d857d913e7a
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Tue Aug 14 15:06:53 2012 +0200

    Fixes for CVE-2012-3464.

 ...4-html_escape-should-escape-single-quotes.patch |   76 ++++++++++++++++++++
 rubygem-activesupport.spec                         |   12 +++-
 2 files changed, 87 insertions(+), 1 deletions(-)
---
diff --git a/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch b/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
new file mode 100644
index 0000000..c8f156e
--- /dev/null
+++ b/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
@@ -0,0 +1,76 @@
+From 780a718723cf87b49cfe204d355948c4e0932d23 Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Tue, 31 Jul 2012 22:25:54 -0300
+Subject: [PATCH] html_escape should escape single quotes
+
+https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
+Closes #7215
+
+Conflicts:
+	activesupport/lib/active_support/core_ext/string/output_safety.rb
+	activesupport/test/core_ext/string_ext_test.rb
+---
+ .../core_ext/string/output_safety.rb               |  6 ++--
+ activesupport/test/core_ext/string_ext_test.rb     | 17 ++++++++++++
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+index 0358873..b25592a 100644
+--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
++++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+@@ -3,13 +3,13 @@ require 'active_support/core_ext/kernel/singleton_class'
+ 
+ class ERB
+   module Util
+-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
++    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
+     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+ 
+     # A utility method for escaping HTML tag characters.
+     # This method is also aliased as <tt>h</tt>.
+     #
+-    # In your ERb templates, use this method to escape any unsafe content. For example:
++    # In your ERB templates, use this method to escape any unsafe content. For example:
+     #   <%=h @person.name %>
+     #
+     # ==== Example:
+@@ -20,7 +20,7 @@ class ERB
+       if s.html_safe?
+         s
+       else
+-        s.to_s.gsub(/&/, "&amp;").gsub(/\"/, "&quot;").gsub(/>/, "&gt;").gsub(/</, "&lt;").html_safe
++        s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
+       end
+     end
+ 
+diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
+index 8f07cd1..be9a41b 100644
+--- a/activesupport/test/core_ext/string_ext_test.rb
++++ b/activesupport/test/core_ext/string_ext_test.rb
+@@ -527,6 +527,23 @@ class OutputSafetyTest < ActiveSupport::TestCase
+     assert string.html_safe?
+     assert !string.to_param.html_safe?
+   end
++
++  test "ERB::Util.html_escape should escape unsafe characters" do
++    string = '<>&"\''
++    expected = '&lt;&gt;&amp;&quot;&#x27;'
++    assert_equal expected, ERB::Util.html_escape(string)
++  end
++
++  test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
++    string = [192, 60].pack('CC')
++    expected = 192.chr + "&lt;"
++    assert_equal expected, ERB::Util.html_escape(string)
++  end
++
++  test "ERB::Util.html_escape should not escape safe strings" do
++    string = "<b>hello</b>".html_safe
++    assert_equal string, ERB::Util.html_escape(string)
++  end
+ end
+ 
+ class StringExcludeTest < ActiveSupport::TestCase
+-- 
+1.7.11.2
+
diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec
index 5cdd129..110c47b 100644
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@@ -9,7 +9,7 @@ Summary: Support and utility classes used by the Rails framework
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 3.0.10
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -36,6 +36,10 @@ Patch2: activesupport-remove-memcache-build-dep.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=799275
 Patch3: activesupport-CVE-2012-1098-safe-buffer-slice.patch
 
+# CVE-2012-3464
+# https://bugzilla.redhat.com/show_bug.cgi?id=847199
+Patch4: activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: rubygems
 Requires: ruby(abi) = %{rubyabi}
@@ -68,6 +72,9 @@ pushd .%{geminstdir}
 %patch1 -p0
 %patch2 -p0
 %patch3 -p2
+%patch4 -p2
+popd
+
 
 %build
 
@@ -94,6 +101,9 @@ popd
 
 
 %changelog
+* Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-4
+- Fixes for CVE-2012-3464.
+
 * Fri Mar 16 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:3.0.10-3
 - The CVE patch name now contains the CVE id.

More information about the scm-commits mailing list