[rubygem-activesupport/f16] Fixes for CVE-2012-3464.
Vít Ondruch
vondruch at fedoraproject.org
Tue Aug 14 14:56:44 UTC 2012
commit 64eec8683e30e3b41698031bf0e35d857d913e7a
Author: Vít Ondruch <vondruch at redhat.com>
Date: Tue Aug 14 15:06:53 2012 +0200
Fixes for CVE-2012-3464.
...4-html_escape-should-escape-single-quotes.patch | 76 ++++++++++++++++++++
rubygem-activesupport.spec | 12 +++-
2 files changed, 87 insertions(+), 1 deletions(-)
---
diff --git a/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch b/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
new file mode 100644
index 0000000..c8f156e
--- /dev/null
+++ b/activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
@@ -0,0 +1,76 @@
+From 780a718723cf87b49cfe204d355948c4e0932d23 Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Tue, 31 Jul 2012 22:25:54 -0300
+Subject: [PATCH] html_escape should escape single quotes
+
+https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
+Closes #7215
+
+Conflicts:
+ activesupport/lib/active_support/core_ext/string/output_safety.rb
+ activesupport/test/core_ext/string_ext_test.rb
+---
+ .../core_ext/string/output_safety.rb | 6 ++--
+ activesupport/test/core_ext/string_ext_test.rb | 17 ++++++++++++
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+index 0358873..b25592a 100644
+--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
++++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+@@ -3,13 +3,13 @@ require 'active_support/core_ext/kernel/singleton_class'
+
+ class ERB
+ module Util
+- HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' }
++ HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' }
+ JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+
+ # A utility method for escaping HTML tag characters.
+ # This method is also aliased as <tt>h</tt>.
+ #
+- # In your ERb templates, use this method to escape any unsafe content. For example:
++ # In your ERB templates, use this method to escape any unsafe content. For example:
+ # <%=h @person.name %>
+ #
+ # ==== Example:
+@@ -20,7 +20,7 @@ class ERB
+ if s.html_safe?
+ s
+ else
+- s.to_s.gsub(/&/, "&").gsub(/\"/, """).gsub(/>/, ">").gsub(/</, "<").html_safe
++ s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
+ end
+ end
+
+diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
+index 8f07cd1..be9a41b 100644
+--- a/activesupport/test/core_ext/string_ext_test.rb
++++ b/activesupport/test/core_ext/string_ext_test.rb
+@@ -527,6 +527,23 @@ class OutputSafetyTest < ActiveSupport::TestCase
+ assert string.html_safe?
+ assert !string.to_param.html_safe?
+ end
++
++ test "ERB::Util.html_escape should escape unsafe characters" do
++ string = '<>&"\''
++ expected = '<>&"''
++ assert_equal expected, ERB::Util.html_escape(string)
++ end
++
++ test "ERB::Util.html_escape should correctly handle invalid UTF-8 strings" do
++ string = [192, 60].pack('CC')
++ expected = 192.chr + "<"
++ assert_equal expected, ERB::Util.html_escape(string)
++ end
++
++ test "ERB::Util.html_escape should not escape safe strings" do
++ string = "<b>hello</b>".html_safe
++ assert_equal string, ERB::Util.html_escape(string)
++ end
+ end
+
+ class StringExcludeTest < ActiveSupport::TestCase
+--
+1.7.11.2
+
diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec
index 5cdd129..110c47b 100644
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@@ -9,7 +9,7 @@ Summary: Support and utility classes used by the Rails framework
Name: rubygem-%{gemname}
Epoch: 1
Version: 3.0.10
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -36,6 +36,10 @@ Patch2: activesupport-remove-memcache-build-dep.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=799275
Patch3: activesupport-CVE-2012-1098-safe-buffer-slice.patch
+# CVE-2012-3464
+# https://bugzilla.redhat.com/show_bug.cgi?id=847199
+Patch4: activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: rubygems
Requires: ruby(abi) = %{rubyabi}
@@ -68,6 +72,9 @@ pushd .%{geminstdir}
%patch1 -p0
%patch2 -p0
%patch3 -p2
+%patch4 -p2
+popd
+
%build
@@ -94,6 +101,9 @@ popd
%changelog
+* Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-4
+- Fixes for CVE-2012-3464.
+
* Fri Mar 16 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:3.0.10-3
- The CVE patch name now contains the CVE id.
More information about the scm-commits
mailing list