[rubygem-i18n/f19] Fix cross-site scripting flaw in exception handling (CVE-2013-4492).
Vít Ondruch
vondruch at fedoraproject.org
Mon Dec 9 14:33:14 UTC 2013
commit 539d316c85843cdf45ecfa6d774650a051df9501
Author: Vít Ondruch <vondruch at redhat.com>
Date: Mon Dec 9 15:17:16 2013 +0100
Fix cross-site scripting flaw in exception handling (CVE-2013-4492).
...on-escapes-key-names-for-its-html_message.patch | 93 ++++++++++++++++++++
rubygem-i18n.spec | 14 ++-
2 files changed, 103 insertions(+), 4 deletions(-)
---
diff --git a/rubygem-i18n-0.6.6-I18n::MissingTranslation-exception-escapes-key-names-for-its-html_message.patch b/rubygem-i18n-0.6.6-I18n::MissingTranslation-exception-escapes-key-names-for-its-html_message.patch
new file mode 100644
index 0000000..5f82885
--- /dev/null
+++ b/rubygem-i18n-0.6.6-I18n::MissingTranslation-exception-escapes-key-names-for-its-html_message.patch
@@ -0,0 +1,93 @@
+From 92b57b1e4f84adcdcc3a375278f299274be62445 Mon Sep 17 00:00:00 2001
+From: Christopher Dell <chris at tigrish.com>
+Date: Tue, 3 Dec 2013 17:24:04 +0100
+Subject: [PATCH] The I18n::MissingTranslation exception escapes key names for
+ its html_message
+
+Also added deprecation message for the :rescue_format option
+---
+ lib/i18n/exceptions.rb | 28 +++++++++++++++++++++++++---
+ test/i18n/exceptions_test.rb | 10 +++++++---
+ 2 files changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/lib/i18n/exceptions.rb b/lib/i18n/exceptions.rb
+index c0cf438..669d4cd 100644
+--- a/lib/i18n/exceptions.rb
++++ b/lib/i18n/exceptions.rb
+@@ -1,3 +1,5 @@
++require 'cgi'
++
+ module I18n
+ # Handles exceptions raised in the backend. All exceptions except for
+ # MissingTranslationData exceptions are re-thrown. When a MissingTranslationData
+@@ -7,7 +9,19 @@ class ExceptionHandler
+ include Module.new {
+ def call(exception, locale, key, options)
+ if exception.is_a?(MissingTranslation)
+- options[:rescue_format] == :html ? exception.html_message : exception.message
++ #
++ # TODO: this block is to be replaced by `exception.message` when
++ # rescue_format is removed
++ if options[:rescue_format] == :html
++ if @rescue_format_deprecation
++ $stderr.puts "[DEPRECATED] I18n's :recue_format option will be removed from a future release. All exception messages will be plain text. If you need the exception handler to return an html format please set or pass a custom exception handler."
++ @rescue_format_deprecation = true
++ end
++ exception.html_message
++ else
++ exception.message
++ end
++
+ elsif exception.is_a?(Exception)
+ raise exception
+ else
+@@ -45,8 +59,9 @@ def initialize(locale, key, options = nil)
+ end
+
+ def html_message
+- key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
+- %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>)
++ key = CGI.escape_html titleize(keys.last)
++ path = CGI.escape_html keys.join('.')
++ %(<span class="translation_missing" title="translation missing: #{path}">#{key}</span>)
+ end
+
+ def keys
+@@ -63,6 +78,13 @@ def message
+ def to_exception
+ MissingTranslationData.new(locale, key, options)
+ end
++
++ protected
++
++ # TODO : remove when #html_message is removed
++ def titleize(key)
++ key.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
++ end
+ end
+
+ include Base
+diff --git a/test/i18n/exceptions_test.rb b/test/i18n/exceptions_test.rb
+index 3c2e1cb..098eefe 100644
+--- a/test/i18n/exceptions_test.rb
++++ b/test/i18n/exceptions_test.rb
+@@ -28,9 +28,13 @@ def test_invalid_locale_stores_locale
+ end
+
+ test "MissingTranslationData html_message is a span with the titlelized last key token" do
+- force_missing_translation_data do |exception|
+- assert_equal '<span class="translation_missing" title="translation missing: de.bar.foo">Foo</span>', exception.html_message
+- end
++ exception = I18n::MissingTranslationData.new(:de, :foo, :scope => :bar)
++ assert_equal '<span class="translation_missing" title="translation missing: de.bar.foo">Foo</span>', exception.html_message
++ end
++
++ test "MissingTranslationData html_message html escapes key names" do
++ exception = I18n::MissingTranslationData.new(:de, '<script>Evil</script>', :scope => '<iframe src="example.com" />')
++ assert_equal '<span class="translation_missing" title="translation missing: de.<iframe src="example.com" />.<script>Evil</script>"><Script>Evil</Script></span>', exception.html_message
+ end
+
+ test "ExceptionHandler returns the html_message if :rescue_format => :html was given" do
+--
+1.8.5.1
+
diff --git a/rubygem-i18n.spec b/rubygem-i18n.spec
index 53f230e..7306a6b 100644
--- a/rubygem-i18n.spec
+++ b/rubygem-i18n.spec
@@ -3,11 +3,12 @@
Summary: New wave Internationalization support for Ruby
Name: rubygem-%{gem_name}
Version: 0.6.1
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Languages
License: MIT and (GPLv2 or Ruby)
URL: http://github.com/svenfuchs/i18n
Source0: http://rubygems.org/gems/%{gem_name}-%{version}.gem
+Patch0: rubygem-i18n-0.6.6-I18n::MissingTranslation-exception-escapes-key-names-for-its-html_message.patch
Requires: ruby(rubygems)
Requires: ruby(release)
BuildRequires: ruby(release)
@@ -34,9 +35,11 @@ Documentation for %{name}
%prep
%setup -q -c -T
-# Avoid some encoding complaints.
-# https://github.com/svenfuchs/i18n/issues/176
-LANG=en_US.utf8 %gem_install -n %{SOURCE0}
+%gem_install -n %{SOURCE0}
+
+pushd .%{gem_instdir}
+%patch0 -p1
+popd
%build
@@ -73,6 +76,9 @@ popd
%changelog
+* Mon Dec 09 2013 Vít Ondruch <vondruch at redhat.com> - 0.6.1-4
+- Fix cross-site scripting flaw in exception handling (CVE-2013-4492).
+
* Tue Feb 26 2013 Vít Ondruch <vondruch at redhat.com> - 0.6.1-3
- Rebuild for https://fedoraproject.org/wiki/Features/Ruby_2.0.0
More information about the scm-commits
mailing list