[rubygem-actionpack/f15] Fix for CVE-2012-1099.
Bohuslav Kabrda
bkabrda at fedoraproject.org
Tue Mar 6 06:43:02 UTC 2012
commit 8e9d7d4fe07968d1c7247ee1a66dbc85e8717b6c
Author: Bohuslav Kabrda <bkabrda at redhat.com>
Date: Tue Mar 6 07:42:51 2012 +0100
Fix for CVE-2012-1099.
actionpack-select-options-XSS-fix.patch | 61 +++++++++++++++++++++++++++++++
rubygem-actionpack.spec | 10 +++++-
2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/actionpack-select-options-XSS-fix.patch b/actionpack-select-options-XSS-fix.patch
new file mode 100644
index 0000000..f0211c0
--- /dev/null
+++ b/actionpack-select-options-XSS-fix.patch
@@ -0,0 +1,61 @@
+From 5b4082fddf3412aef6c085fbb2a13fd3bbc75f4e Mon Sep 17 00:00:00 2001
+From: Sergey Nartimov <just.lest at gmail.com>
+Date: Mon, 20 Feb 2012 15:41:17 -0800
+Subject: [PATCH] fix output safety issue with select options
+
+---
+ .../lib/action_view/helpers/form_options_helper.rb | 6 +++---
+ .../test/template/form_options_helper_test.rb | 9 ++++++++-
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb
+index 082647f..949b02a 100644
+--- a/actionpack/lib/action_view/helpers/form_options_helper.rb
++++ b/actionpack/lib/action_view/helpers/form_options_helper.rb
+@@ -596,13 +596,13 @@ module ActionView
+ private
+ def add_options(option_tags, options, value = nil)
+ if options[:include_blank]
+- option_tags = "<option value=\"\">#{html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
++ option_tags = content_tag('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags
+ end
+ if value.blank? && options[:prompt]
+ prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select')
+- option_tags = "<option value=\"\">#{html_escape(prompt)}</option>\n" + option_tags
++ option_tags = content_tag('option', prompt, :value => '') + "\n" + option_tags
+ end
+- option_tags.html_safe
++ option_tags
+ end
+ end
+
+diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb
+index 6656420..9ca4bf6 100644
+--- a/actionpack/test/template/form_options_helper_test.rb
++++ b/actionpack/test/template/form_options_helper_test.rb
+@@ -432,7 +432,7 @@ class FormOptionsHelperTest < ActionView::TestCase
+
+ def test_select_under_fields_for_with_string_and_given_prompt
+ @post = Post.new
+- options = "<option value=\"abe\">abe</option><option value=\"mus\">mus</option><option value=\"hest\">hest</option>"
++ options = "<option value=\"abe\">abe</option><option value=\"mus\">mus</option><option value=\"hest\">hest</option>".html_safe
+
+ output_buffer = fields_for :post, @post do |f|
+ concat f.select(:category, options, :prompt => 'The prompt')
+@@ -536,6 +536,13 @@ class FormOptionsHelperTest < ActionView::TestCase
+ )
+ end
+
++ def test_select_escapes_options
++ assert_dom_equal(
++ '<select id="post_title" name="post[title]"><script>alert(1)</script></select>',
++ select('post', 'title', '<script>alert(1)</script>')
++ )
++ end
++
+ def test_select_with_selected_nil
+ @post = Post.new
+ @post.category = "<mus>"
+--
+1.7.6
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 00f3e01..deb0ed4 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -9,7 +9,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Epoch: 1
Version: 3.0.5
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -59,6 +59,10 @@ Patch8: actionpack-%{version}-XSS-flaw-fix.patch
# Fixes tests failing with Ruby-1.8.7.p357
Patch9: actionpack-%{version}-fix-tests-failing-with-ruby-1.8.7.p357.patch
+# Fixes CVE-2012-1099
+# https://bugzilla.redhat.com/show_bug.cgi?id=799276
+Patch10: actionpack-select-options-XSS-fix.patch
+
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -121,6 +125,7 @@ pushd .%{geminstdir}
%patch7 -p0
%patch8 -p2
%patch9 -p2
+%patch10 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -192,6 +197,9 @@ rake test --trace
%changelog
+* Tue Mar 06 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:3.0.5-6
+- Fix for CVE-2012-1099.
+
* Tue Jan 17 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:3.0.5-5
- Security fix for XSS flaw, RHBZ #755007 (CVE-2011-4319)
- Patch for tests failing with Ruby-1.8.7.p357.
More information about the scm-commits
mailing list