[rubygem-actionpack/f17] Fix for CVE-2013-1855 and CVE-2013-1857.
Vít Ondruch
vondruch at fedoraproject.org
Thu Mar 21 11:37:29 UTC 2013
commit 0f13cce6668568dd63da5b42309f36bfd442ecc4
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Mar 21 11:38:45 2013 +0100
Fix for CVE-2013-1855 and CVE-2013-1857.
...ionpack-3.2.13-CVE-2013-1855-css_sanitize.patch | 37 ++++++++++++++++++++
...ck-3.2.13-CVE-2013-1857-sanitize_protocol.patch | 36 +++++++++++++++++++
rubygem-actionpack.spec | 15 +++++++-
3 files changed, 87 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-actionpack-3.2.13-CVE-2013-1855-css_sanitize.patch b/rubygem-actionpack-3.2.13-CVE-2013-1855-css_sanitize.patch
new file mode 100644
index 0000000..d225247
--- /dev/null
+++ b/rubygem-actionpack-3.2.13-CVE-2013-1855-css_sanitize.patch
@@ -0,0 +1,37 @@
+From 0075f36acc933f4ceee95be725e37bfbbd3bf01c Mon Sep 17 00:00:00 2001
+From: Charlie Somerville <charlie at charliesomerville.com>
+Date: Wed, 13 Feb 2013 09:09:53 +1100
+Subject: [PATCH] fix incorrect ^$ usage leading to XSS in sanitize_css
+ [CVE-2013-1855]
+
+---
+ .../lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+index dceddb9..6cf4d27 100644
+--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -109,8 +109,8 @@ def sanitize_css(style)
+ style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
+
+ # gauntlet
+- if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
+- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
++ if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
++ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
+ return ''
+ end
+
+@@ -121,7 +121,7 @@ def sanitize_css(style)
+ elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
+ unless val.split().any? do |keyword|
+ !allowed_css_keywords.include?(keyword) &&
+- keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
++ keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+ end
+ clean << prop + ': ' + val + ';'
+ end
+--
+1.8.1.5
+
diff --git a/rubygem-actionpack-3.2.13-CVE-2013-1857-sanitize_protocol.patch b/rubygem-actionpack-3.2.13-CVE-2013-1857-sanitize_protocol.patch
new file mode 100644
index 0000000..228c36c
--- /dev/null
+++ b/rubygem-actionpack-3.2.13-CVE-2013-1857-sanitize_protocol.patch
@@ -0,0 +1,36 @@
+From 77403a9b04073713e2b758c22174a81bb3cd62b9 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 15 Mar 2013 15:04:00 -0700
+Subject: [PATCH] fix protocol checking in sanitization [CVE-2013-1857]
+
+Conflicts:
+ actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+---
+ .../action_controller/vendor/html-scanner/html/sanitizer.rb | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+index 6cf4d27..b4c0b0f 100644
+--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -65,7 +65,7 @@ class WhiteListSanitizer < Sanitizer
+
+ # A regular expression of the valid characters used to separate protocols like
+ # the ':' in 'http://foo.com'
+- self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/
++ self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i
+
+ # Specifies a Set of HTML attributes that can have URIs.
+ self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
+@@ -170,7 +170,7 @@ def process_attributes_for(node, options)
+
+ def contains_bad_protocols?(attr_name, value)
+ uri_attributes.include?(attr_name) &&
+- (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
++ (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
+ end
+ end
+ end
+--
+1.8.1.5
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index b326cae..a485818 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -7,7 +7,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.0.11
-Release: 8%{?dist}
+Release: 9%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -73,6 +73,14 @@ Patch12: actionpack-3.0.17-CVE-2012-3465-Do-not-mark-strip_tags-result-as-html_s
# https://bugzilla.redhat.com/show_bug.cgi?id=892866
Patch13: rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch
+# CVE-2013-1855
+# https://bugzilla.redhat.com/show_bug.cgi?id=921331
+Patch14: rubygem-actionpack-3.2.13-CVE-2013-1855-css_sanitize.patch
+
+# CVE-2013-1857
+# https://bugzilla.redhat.com/show_bug.cgi?id=921335
+Patch15: rubygem-actionpack-3.2.13-CVE-2013-1857-sanitize_protocol.patch
+
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -141,6 +149,8 @@ pushd .%{gem_instdir}
%patch11 -p2
%patch12 -p2
%patch13 -p2
+%patch14 -p2
+%patch15 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -217,6 +227,9 @@ rake test --trace
%changelog
+* Thu Mar 21 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-9
+- Fix for CVE-2013-1855 and CVE-2013-1857.
+
* Thu Jan 10 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-8
- Fix for CVE-2013-0155.
More information about the scm-commits
mailing list