[rubygem-actionpack/f20] Add missing patch

Josef Stribny jstribny at fedoraproject.org
Mon Dec 16 07:55:25 UTC 2013 

commit bbcd34fac1a857080ae6de605911444af91e5077
Author: Josef Stribny <jstribny at redhat.com>
Date:   Mon Dec 16 08:54:55 2013 +0100

    Add missing patch

 rubygem-actionpack-3.2.16-multiple-CVEs.patch |  266 +++++++++++++++++++++++++
 1 files changed, 266 insertions(+), 0 deletions(-)
---
diff --git a/rubygem-actionpack-3.2.16-multiple-CVEs.patch b/rubygem-actionpack-3.2.16-multiple-CVEs.patch
new file mode 100644
index 0000000..1023702
--- /dev/null
+++ b/rubygem-actionpack-3.2.16-multiple-CVEs.patch
@@ -0,0 +1,266 @@
+From 1ec3806cc8d32e8365a1edbabcda3ef104f62055 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sat, 30 Nov 2013 17:02:53 -0800
+Subject: [PATCH 1/8] Only use valid mime type symbols as cache keys
+
+CVE-2013-6414
+---
+ actionpack/lib/action_view/lookup_context.rb | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/action_view/lookup_context.rb b/lib/action_view/lookup_context.rb
+index f9d5b97..c6ff683 100644
+--- a/lib/action_view/lookup_context.rb
++++ b/lib/action_view/lookup_context.rb
+@@ -62,6 +62,13 @@ class DetailsKey #:nodoc:
+       @details_keys = ThreadSafe::Cache.new
+ 
+       def self.get(details)
++        if details[:formats]
++          details = details.dup
++          syms    = Set.new Mime::SET.symbols
++          details[:formats] = details[:formats].select { |v|
++            syms.include? v
++          }
++        end
+         @details_keys[details] ||= new
+       end
+ 
+-- 
+1.8.5.1
+
+
+From 6658782d60651a65efc43b621225543dd30125c5 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Mon, 2 Dec 2013 10:12:47 +1300
+Subject: [PATCH 2/8] Escape the unit value provided to number_to_currency
+
+Previously the unit values were trusted leading to potential XSS vulnerabilities.
+
+Fixes: CVE-2013-6415
+---
+ actionpack/lib/action_view/helpers/number_helper.rb | 1 +
+ actionpack/test/template/number_helper_test.rb      | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/action_view/helpers/number_helper.rb b/lib/action_view/helpers/number_helper.rb
+index fda7038..f3914e4 100644
+--- a/lib/action_view/helpers/number_helper.rb
++++ b/lib/action_view/helpers/number_helper.rb
+@@ -411,6 +411,7 @@ def number_to_human(number, options = {})
+       def escape_unsafe_delimiters_and_separators(options)
+         options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
+         options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
++        options[:unit]      = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+         options
+       end
+ 
+diff --git a/test/template/number_helper_test.rb b/test/template/number_helper_test.rb
+index 6e64088..be336ea 100644
+--- a/test/template/number_helper_test.rb
++++ b/test/template/number_helper_test.rb
+@@ -14,7 +14,8 @@ def test_number_to_currency
+     assert_equal nil, number_to_currency(nil)
+     assert_equal "$1,234,567,890.50", number_to_currency(1234567890.50)
+     assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0)
+-    assert_equal "1,234,567,890.50 - K&#269;", number_to_currency("-1234567890.50", unit: "K&#269;", format: "%n %u", negative_format: "%n - %u")
++    assert_equal "1,234,567,890.50 - K&#269;", number_to_currency("-1234567890.50", unit: raw("K&#269;"), format: "%n %u", negative_format: "%n - %u")
++    assert_equal "&amp;pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "&pound;")
+   end
+ 
+   def test_number_to_percentage
+-- 
+1.8.5.1
+
+
+From 4b4f5847f64f81c961625e647711ef9f6ad1a454 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Tue, 19 Nov 2013 09:00:08 +1300
+Subject: [PATCH 3/8] Ensure simple_format escapes its html attributes
+
+The previous behavior equated the sanitize option for simple_format with the
+escape option of content_tag, however these are two distinct concepts.
+
+This fixes CVE-2013-6416
+---
+ actionpack/lib/action_view/helpers/text_helper.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/action_view/helpers/text_helper.rb b/lib/action_view/helpers/text_helper.rb
+index 2ed825e..285d27d 100644
+--- a/lib/action_view/helpers/text_helper.rb
++++ b/lib/action_view/helpers/text_helper.rb
+@@ -266,7 +266,7 @@ def simple_format(text, html_options = {}, options = {})
+           content_tag(wrapper_tag, nil, html_options)
+         else
+           paragraphs.map { |paragraph|
+-            content_tag(wrapper_tag, paragraph, html_options, options[:sanitize])
++            content_tag(wrapper_tag, raw(paragraph), html_options)
+           }.join("\n\n").html_safe
+         end
+       end
+-- 
+1.8.5.1
+
+
+From ed065b2f693e1f9ef6aa6347f53e5258b1acb1b8 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Sat, 30 Nov 2013 16:45:23 +1300
+Subject: [PATCH 4/8] Deep Munge the parameters for GET and POST
+
+The previous implementation of this functionality could be accidentally
+subverted by instantiating a raw Rack::Request before the first Rails::Request
+was constructed.
+
+Fixes CVE-2013-6417
+---
+ actionpack/lib/action_dispatch/http/request.rb            |  4 ++--
+ .../test/dispatch/request/query_string_parsing_test.rb    | 15 +++++++++++++++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/lib/action_dispatch/http/request.rb b/lib/action_dispatch/http/request.rb
+index ebd87c4..ba04000 100644
+--- a/lib/action_dispatch/http/request.rb
++++ b/lib/action_dispatch/http/request.rb
+@@ -271,7 +271,7 @@ def session_options=(options)
+ 
+     # Override Rack's GET method to support indifferent access
+     def GET
+-      @env["action_dispatch.request.query_parameters"] ||= (normalize_encode_params(super) || {})
++      @env["action_dispatch.request.query_parameters"] ||= deep_munge((normalize_encode_params(super) || {}))
+     rescue TypeError => e
+       raise ActionController::BadRequest.new(:query, e)
+     end
+@@ -279,7 +279,7 @@ def GET
+ 
+     # Override Rack's POST method to support indifferent access
+     def POST
+-      @env["action_dispatch.request.request_parameters"] ||= (normalize_encode_params(super) || {})
++      @env["action_dispatch.request.request_parameters"] ||= deep_munge((normalize_encode_params(super) || {}))
+     rescue TypeError => e
+       raise ActionController::BadRequest.new(:request, e)
+     end
+diff --git a/test/dispatch/request/query_string_parsing_test.rb b/test/dispatch/request/query_string_parsing_test.rb
+index f072a9f..0ad0dbc 100644
+--- a/test/dispatch/request/query_string_parsing_test.rb
++++ b/test/dispatch/request/query_string_parsing_test.rb
+@@ -11,6 +11,17 @@ def parse
+       head :ok
+     end
+   end
++  class EarlyParse
++    def initialize(app)
++      @app = app
++    end
++
++    def call(env)
++      # Trigger a Rack parse so that env caches the query params
++      Rack::Request.new(env).params
++      @app.call(env)
++    end
++  end
+ 
+   def teardown
+     TestController.last_query_parameters = nil
+@@ -131,6 +142,10 @@ def assert_parses(expected, actual)
+         set.draw do
+           get ':action', :to => ::QueryStringParsingTest::TestController
+         end
++        @app = self.class.build_app(set) do |middleware|
++          middleware.use(EarlyParse)
++        end
++
+ 
+         get "/parse", actual
+         assert_response :ok
+-- 
+1.8.5.1
+
+
+From ec16ba75a5493b9da972eea08bae630eba35b62f Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Fri, 1 Nov 2013 11:50:05 +1300
+Subject: [PATCH 5/8] Stop using i18n's built in HTML error handling.
+
+i18n doesn't depend on active support which means it can't use our html_safe
+code to do its escaping when generating the spans.  Rather than try to sanitize
+the output from i18n, just revert to our old behaviour of rescuing the error
+and constructing the tag ourselves.
+
+Fixes: CVE-2013-4491
+---
+ .../lib/action_view/helpers/translation_helper.rb  | 22 +++++++++-------------
+ .../test/template/translation_helper_test.rb       |  2 +-
+ 2 files changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/action_view/helpers/translation_helper.rb b/lib/action_view/helpers/translation_helper.rb
+index ad8eb47..a1a2beb 100644
+--- a/lib/action_view/helpers/translation_helper.rb
++++ b/lib/action_view/helpers/translation_helper.rb
+@@ -1,24 +1,14 @@
+ require 'action_view/helpers/tag_helper'
+ require 'i18n/exceptions'
+ 
+-module I18n
+-  class ExceptionHandler
+-    include Module.new {
+-      def call(exception, locale, key, options)
+-        exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super
+-      end
+-    }
+-  end
+-end
+-
+ module ActionView
+   # = Action View Translation Helpers
+   module Helpers
+     module TranslationHelper
+       # Delegates to <tt>I18n#translate</tt> but also performs three additional functions.
+       #
+-      # First, it'll pass the <tt>rescue_format: :html</tt> option to I18n so that any
+-      # thrown +MissingTranslation+ messages will be turned into inline spans that
++      # First, it will ensure that any thrown +MissingTranslation+ messages will be turned 
++      # into inline spans that:
+       #
+       #   * have a "translation-missing" class set,
+       #   * contain the missing key as a title attribute and
+@@ -44,8 +34,11 @@ module TranslationHelper
+       # naming convention helps to identify translations that include HTML tags so that
+       # you know what kind of output to expect when you call translate in a template.
+       def translate(key, options = {})
+-        options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
+         options[:default] = wrap_translate_defaults(options[:default]) if options[:default]
++
++        # If the user has specified rescue_format then pass it all through, otherwise use
++        # raise and do the work ourselves
++        options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format)
+         if html_safe_translation_key?(key)
+           html_safe_options = options.dup
+           options.except(*I18n::RESERVED_KEYS).each do |name, value|
+@@ -59,6 +52,9 @@ def translate(key, options = {})
+         else
+           I18n.translate(scope_key_by_partial(key), options)
+         end
++      rescue I18n::MissingTranslationData => e
++        keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
++        content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
+       end
+       alias :t :translate
+ 
+diff --git a/test/template/translation_helper_test.rb b/test/template/translation_helper_test.rb
+index d496dbb..0dfe47f 100644
+--- a/test/template/translation_helper_test.rb
++++ b/test/template/translation_helper_test.rb
+@@ -31,7 +31,7 @@ def setup
+   end
+ 
+   def test_delegates_to_i18n_setting_the_rescue_format_option_to_html
+-    I18n.expects(:translate).with(:foo, :locale => 'en', :rescue_format => :html).returns("")
++    I18n.expects(:translate).with(:foo, :locale => 'en', :raise=>true).returns("")
+     translate :foo, :locale => 'en'
+   end
+ 
+-- 
+1.8.5.
+
+

More information about the scm-commits mailing list