[rubygem-activeresource/f18] Fix FTBFS caused by fix for CVE-2013-0156.

Thu Jun 13 10:10:51 UTC 2013

commit 543c6cd46121a0bf1ccdd08b371efa6a0d884f3d
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Thu Jun 13 11:37:52 2013 +0200

    Fix FTBFS caused by fix for CVE-2013-0156.
    
      - Resolves: rhbz#973651

 ...e-3.2.13-Remove-text-for-XML-YAML-parsing.patch |   71 ++++++++++++++++++++
 rubygem-activeresource.spec                        |   12 +++-
 2 files changed, 82 insertions(+), 1 deletions(-)
---

diff --git a/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch b/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
new file mode 100644
index 0000000..42a7cf6
--- /dev/null
+++ b/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
@@ -0,0 +1,71 @@
+From e134e171c201e136ce28dc229cdc61944dc59cf2 Mon Sep 17 00:00:00 2001
+From: Prem Sichanugrist <s at sikac.hu>
+Date: Tue, 8 Jan 2013 19:39:25 -0500
+Subject: [PATCH] Remove test for XML YAML parsing
+
+The support for YAML parsing in XML has been removed from Active Support
+since it introduced an security risk. See 43109ec for more detail.
+---
+ activeresource/test/abstract_unit.rb   | 14 --------------
+ activeresource/test/cases/base_test.rb | 13 -------------
+ 2 files changed, 27 deletions(-)
+
+diff --git a/activeresource/test/abstract_unit.rb b/activeresource/test/abstract_unit.rb
+index 9c1e9a5..583fd2a 100644
+--- a/activeresource/test/abstract_unit.rb
++++ b/activeresource/test/abstract_unit.rb
+@@ -77,19 +77,6 @@ def setup_response
+       }]
+     }
+   }.to_json
+-  # - resource with yaml array of strings; for ARs using serialize :bar, Array
+-  @marty = <<-eof.strip
+-    <?xml version=\"1.0\" encoding=\"UTF-8\"?>
+-    <person>
+-      <id type=\"integer\">5</id>
+-      <name>Marty</name>
+-      <colors type=\"yaml\">---
+-    - \"red\"
+-    - \"green\"
+-    - \"blue\"
+-    </colors>
+-    </person>
+-  eof
+ 
+   @startup_sound = {
+     :sound => {
+@@ -101,7 +88,6 @@ def setup_response
+     mock.get    "/people/1.json",               {}, @matz
+     mock.get    "/people/1.xml",                {}, @matz_xml
+     mock.get    "/people/2.xml",                {}, @david
+-    mock.get    "/people/5.xml",                {}, @marty
+     mock.get    "/people/Greg.json",            {}, @greg
+     mock.get    "/people/6.json",               {}, @joe
+     mock.get    "/people/4.json",               { 'key' => 'value' }, nil, 404
+diff --git a/activeresource/test/cases/base_test.rb b/activeresource/test/cases/base_test.rb
+index 5ef8a51..983f054 100644
+--- a/activeresource/test/cases/base_test.rb
++++ b/activeresource/test/cases/base_test.rb
+@@ -1077,19 +1077,6 @@ def test_parse_deep_nested_resources
+     end
+   end
+ 
+-  def test_load_yaml_array
+-    assert_nothing_raised do
+-      Person.format = :xml
+-      marty = Person.find(5)
+-      assert_equal 3, marty.colors.size
+-      marty.colors.each do |color|
+-        assert_kind_of String, color
+-      end
+-    end
+-  ensure
+-    Person.format = :json
+-  end
+-
+   def test_with_custom_formatter
+     addresses = [{ :id => "1", :street => "1 Infinite Loop", :city => "Cupertino", :state => "CA" }].to_xml(:root => :addresses)
+ 
+-- 
+1.8.1.6
+
diff --git a/rubygem-activeresource.spec b/rubygem-activeresource.spec
index 0f12d63..af167c2 100644
--- a/rubygem-activeresource.spec
+++ b/rubygem-activeresource.spec
@@ -7,7 +7,7 @@ Summary: Active Record for web resources
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 3.2.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -22,6 +22,10 @@ Source0: http://rubygems.org/downloads/activeresource-%{version}.gem
 # tar czvf activeresource-3.2.8-tests.tgz test/
 Source1: activeresource-%{version}-tests.tgz
 
+# Remove test for XML YAML parsing disabled due to CVE-2013-0156
+# https://github.com/rails/rails/commit/e134e171c201e136ce28dc229cdc61944dc59cf2
+Patch0: rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
+
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 Requires: ruby(abi) = %{rubyabi}
 Requires: ruby(rubygems)
@@ -79,6 +83,8 @@ done
 pushd .%{gem_instdir}
 tar xzvf %{SOURCE1}
 
+cat %{PATCH0} | patch -p2
+
 # load_path is not available, remove its require.
 sed -i '1,+1d' test/abstract_unit.rb
 
@@ -99,6 +105,10 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Thu Jun 13 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-2
+- Fix FTBFS caused by fix for CVE-2013-0156.
+  - Resolves: rhbz#973651
+
 * Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-1
 - Update to ActiveResource 3.2.8.
 
