[rubygem-activesupport/f17] Fix for CVE-2013-0156.
Vít Ondruch
vondruch at fedoraproject.org
Thu Jan 10 12:58:15 UTC 2013
commit 84cc2ef8aec9144a6489c1cb63833dafecd914b1
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Jan 10 13:57:20 2013 +0100
Fix for CVE-2013-0156.
...esupport-3.0.19-CVE-2013-0156-xml_parsing.patch | 161 ++++++++++++++++++++
rubygem-activesupport.spec | 12 ++-
2 files changed, 171 insertions(+), 2 deletions(-)
---
diff --git a/rubygem-activesupport-3.0.19-CVE-2013-0156-xml_parsing.patch b/rubygem-activesupport-3.0.19-CVE-2013-0156-xml_parsing.patch
new file mode 100644
index 0000000..6bba8df
--- /dev/null
+++ b/rubygem-activesupport-3.0.19-CVE-2013-0156-xml_parsing.patch
@@ -0,0 +1,161 @@
+From a494824efc3212232f6b6328e7a1951e9cf17105 Mon Sep 17 00:00:00 2001
+From: Jeremy Kemper <jeremy at bitsweat.net>
+Date: Sat, 5 Jan 2013 17:46:26 -0700
+Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow
+ symbols or yaml.
+
+---
+ .../active_support/core_ext/hash/conversions.rb | 32 +++++++++++++++-----
+ activesupport/test/core_ext/hash_ext_test.rb | 28 +++++++++++++----
+ 2 files changed, 47 insertions(+), 13 deletions(-)
+
+diff --git a/activesupport/lib/active_support/core_ext/hash/conversions.rb b/activesupport/lib/active_support/core_ext/hash/conversions.rb
+index 465a635..e0856f6 100644
+--- a/activesupport/lib/active_support/core_ext/hash/conversions.rb
++++ b/activesupport/lib/active_support/core_ext/hash/conversions.rb
+@@ -73,15 +73,33 @@ class Hash
+ end
+ end
+
++ class DisallowedType < StandardError #:nodoc:
++ def initialize(type)
++ super "Disallowed type attribute: #{type.inspect}"
++ end
++ end
++
++ DISALLOWED_XML_TYPES = %w(symbol yaml)
++
+ class << self
+- def from_xml(xml)
+- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)))
++ def from_xml(xml, disallowed_types = nil)
++ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types)
++ end
++
++ def from_trusted_xml(xml)
++ from_xml xml, []
+ end
+
+ private
+- def typecast_xml_value(value)
++ def typecast_xml_value(value, disallowed_types = nil)
++ disallowed_types ||= DISALLOWED_XML_TYPES
++
+ case value.class.to_s
+ when 'Hash'
++ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
++ raise DisallowedType, value['type']
++ end
++
+ if value['type'] == 'array'
+ _, entries = Array.wrap(value.detect { |k,v| k != 'type' })
+ if entries.nil? || (c = value['__content__'] && c.blank?)
+@@ -89,9 +107,9 @@ class Hash
+ else
+ case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
+ when "Array"
+- entries.collect { |v| typecast_xml_value(v) }
++ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
+ when "Hash"
+- [typecast_xml_value(entries)]
++ [typecast_xml_value(entries, disallowed_types)]
+ else
+ raise "can't typecast #{entries.inspect}"
+ end
+@@ -116,7 +134,7 @@ class Hash
+ nil
+ else
+ xml_value = value.inject({}) do |h,(k,v)|
+- h[k] = typecast_xml_value(v)
++ h[k] = typecast_xml_value(v, disallowed_types)
+ h
+ end
+
+@@ -125,7 +143,7 @@ class Hash
+ xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
+ end
+ when 'Array'
+- value.map! { |i| typecast_xml_value(i) }
++ value.map! { |i| typecast_xml_value(i, disallowed_types) }
+ value.length > 1 ? value : value.first
+ when 'String'
+ value
+diff --git a/activesupport/test/core_ext/hash_ext_test.rb b/activesupport/test/core_ext/hash_ext_test.rb
+index e9aa57c..ff1408d 100644
+--- a/activesupport/test/core_ext/hash_ext_test.rb
++++ b/activesupport/test/core_ext/hash_ext_test.rb
+@@ -640,12 +640,10 @@ class HashToXmlTest < Test::Unit::TestCase
+ <replies-close-in type="integer">2592000000</replies-close-in>
+ <written-on type="date">2003-07-16</written-on>
+ <viewed-at type="datetime">2003-07-16T09:28:00+0000</viewed-at>
+- <content type="yaml">--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n should_have_underscores: true\n</content>
+ <author-email-address>david at loudthinking.com</author-email-address>
+ <parent-id></parent-id>
+ <ad-revenue type="decimal">1.5</ad-revenue>
+ <optimum-viewing-angle type="float">135</optimum-viewing-angle>
+- <resident type="symbol">yes</resident>
+ </topic>
+ EOT
+
+@@ -658,12 +656,10 @@ class HashToXmlTest < Test::Unit::TestCase
+ :replies_close_in => 2592000000,
+ :written_on => Date.new(2003, 7, 16),
+ :viewed_at => Time.utc(2003, 7, 16, 9, 28),
+- :content => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+ :author_email_address => "david at loudthinking.com",
+ :parent_id => nil,
+ :ad_revenue => BigDecimal("1.50"),
+ :optimum_viewing_angle => 135.0,
+- :resident => :yes
+ }.stringify_keys
+
+ assert_equal expected_topic_hash, Hash.from_xml(topic_xml)["topic"]
+@@ -677,7 +673,6 @@ class HashToXmlTest < Test::Unit::TestCase
+ <approved type="boolean"></approved>
+ <written-on type="date"></written-on>
+ <viewed-at type="datetime"></viewed-at>
+- <content type="yaml"></content>
+ <parent-id></parent-id>
+ </topic>
+ EOT
+@@ -688,7 +683,6 @@ class HashToXmlTest < Test::Unit::TestCase
+ :approved => nil,
+ :written_on => nil,
+ :viewed_at => nil,
+- :content => nil,
+ :parent_id => nil
+ }.stringify_keys
+
+@@ -915,6 +909,28 @@ class HashToXmlTest < Test::Unit::TestCase
+ assert_equal expected_product_hash, Hash.from_xml(product_xml)["product"]
+ end
+
++ def test_from_xml_raises_on_disallowed_type_attributes
++ assert_raise Hash::DisallowedType do
++ Hash.from_xml '<product><name type="foo">value</name></product>', %w(foo)
++ end
++ end
++
++ def test_from_xml_disallows_symbol_and_yaml_types_by_default
++ assert_raise Hash::DisallowedType do
++ Hash.from_xml '<product><name type="symbol">value</name></product>'
++ end
++
++ assert_raise Hash::DisallowedType do
++ Hash.from_xml '<product><name type="yaml">value</name></product>'
++ end
++ end
++
++ def test_from_trusted_xml_allows_symbol_and_yaml_types
++ expected = { 'product' => { 'name' => :value }}
++ assert_equal expected, Hash.from_trusted_xml('<product><name type="symbol">value</name></product>')
++ assert_equal expected, Hash.from_trusted_xml('<product><name type="yaml">:value</name></product>')
++ end
++
+ def test_should_use_default_value_for_unknown_key
+ hash_wia = HashWithIndifferentAccess.new(3)
+ assert_equal 3, hash_wia[:new_key]
+--
+1.7.10.2 (Apple Git-33)
+
+
diff --git a/rubygem-activesupport.spec b/rubygem-activesupport.spec
index 16a1002..48ae96d 100644
--- a/rubygem-activesupport.spec
+++ b/rubygem-activesupport.spec
@@ -7,7 +7,7 @@ Summary: Support and utility classes used by the Rails framework
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.0.11
-Release: 6%{?dist}
+Release: 7%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -43,6 +43,10 @@ Patch4: activesupport-add-bigdecimal-dependency.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=847199
Patch5: activesupport-3.0.17-CVE-2012-3464-html_escape-should-escape-single-quotes.patch
+# CVE-2013-0156
+# https://bugzilla.redhat.com/show_bug.cgi?id=892870
+Patch6: rubygem-activesupport-3.0.19-CVE-2013-0156-xml_parsing.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: ruby(rubygems)
Requires: ruby(abi) = %{rubyabi}
@@ -79,6 +83,7 @@ pushd .%{gem_instdir}
%patch2 -p0
%patch3 -p2
%patch5 -p2
+%patch6 -p2
popd
pushd .%{gem_dir}
@@ -96,7 +101,7 @@ cp -a .%{gem_dir}/* %{buildroot}%{gem_dir}
pushd %{buildroot}%{gem_instdir}
# The error seems to be caused by updated mocha. The test suite passes with mocha 0.10.0.
ruby -Itest -e "Dir.glob('./test/**/*_test.rb').each {|t| require t}" | \
- grep "2197 tests, 9720 assertions, 0 failures, 1 errors, 0 skips"
+ grep "2200 tests, 9725 assertions, 0 failures, 1 errors, 0 skips"
popd
%files
@@ -112,6 +117,9 @@ popd
%changelog
+* Thu Jan 10 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-7
+- Fix for CVE-2013-0156.
+
* Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-6
- Fixes for CVE-2012-3464.
More information about the scm-commits
mailing list