[rubygem-actionpack/f20] Add missing patch
Josef Stribny
jstribny at fedoraproject.org
Mon Dec 16 07:55:25 UTC 2013
commit bbcd34fac1a857080ae6de605911444af91e5077
Author: Josef Stribny <jstribny at redhat.com>
Date: Mon Dec 16 08:54:55 2013 +0100
Add missing patch
rubygem-actionpack-3.2.16-multiple-CVEs.patch | 266 +++++++++++++++++++++++++
1 files changed, 266 insertions(+), 0 deletions(-)
---
diff --git a/rubygem-actionpack-3.2.16-multiple-CVEs.patch b/rubygem-actionpack-3.2.16-multiple-CVEs.patch
new file mode 100644
index 0000000..1023702
--- /dev/null
+++ b/rubygem-actionpack-3.2.16-multiple-CVEs.patch
@@ -0,0 +1,266 @@
+From 1ec3806cc8d32e8365a1edbabcda3ef104f62055 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sat, 30 Nov 2013 17:02:53 -0800
+Subject: [PATCH 1/8] Only use valid mime type symbols as cache keys
+
+CVE-2013-6414
+---
+ actionpack/lib/action_view/lookup_context.rb | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/action_view/lookup_context.rb b/lib/action_view/lookup_context.rb
+index f9d5b97..c6ff683 100644
+--- a/lib/action_view/lookup_context.rb
++++ b/lib/action_view/lookup_context.rb
+@@ -62,6 +62,13 @@ class DetailsKey #:nodoc:
+ @details_keys = ThreadSafe::Cache.new
+
+ def self.get(details)
++ if details[:formats]
++ details = details.dup
++ syms = Set.new Mime::SET.symbols
++ details[:formats] = details[:formats].select { |v|
++ syms.include? v
++ }
++ end
+ @details_keys[details] ||= new
+ end
+
+--
+1.8.5.1
+
+
+From 6658782d60651a65efc43b621225543dd30125c5 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Mon, 2 Dec 2013 10:12:47 +1300
+Subject: [PATCH 2/8] Escape the unit value provided to number_to_currency
+
+Previously the unit values were trusted leading to potential XSS vulnerabilities.
+
+Fixes: CVE-2013-6415
+---
+ actionpack/lib/action_view/helpers/number_helper.rb | 1 +
+ actionpack/test/template/number_helper_test.rb | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/action_view/helpers/number_helper.rb b/lib/action_view/helpers/number_helper.rb
+index fda7038..f3914e4 100644
+--- a/lib/action_view/helpers/number_helper.rb
++++ b/lib/action_view/helpers/number_helper.rb
+@@ -411,6 +411,7 @@ def number_to_human(number, options = {})
+ def escape_unsafe_delimiters_and_separators(options)
+ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] && !options[:separator].html_safe?
+ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] && !options[:delimiter].html_safe?
++ options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+ options
+ end
+
+diff --git a/test/template/number_helper_test.rb b/test/template/number_helper_test.rb
+index 6e64088..be336ea 100644
+--- a/test/template/number_helper_test.rb
++++ b/test/template/number_helper_test.rb
+@@ -14,7 +14,8 @@ def test_number_to_currency
+ assert_equal nil, number_to_currency(nil)
+ assert_equal "$1,234,567,890.50", number_to_currency(1234567890.50)
+ assert_equal "$1,234,567,892", number_to_currency(1234567891.50, precision: 0)
+- assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: "Kč", format: "%n %u", negative_format: "%n - %u")
++ assert_equal "1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", unit: raw("Kč"), format: "%n %u", negative_format: "%n - %u")
++ assert_equal "&pound;1,234,567,890.50", number_to_currency("1234567890.50", unit: "£")
+ end
+
+ def test_number_to_percentage
+--
+1.8.5.1
+
+
+From 4b4f5847f64f81c961625e647711ef9f6ad1a454 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Tue, 19 Nov 2013 09:00:08 +1300
+Subject: [PATCH 3/8] Ensure simple_format escapes its html attributes
+
+The previous behavior equated the sanitize option for simple_format with the
+escape option of content_tag, however these are two distinct concepts.
+
+This fixes CVE-2013-6416
+---
+ actionpack/lib/action_view/helpers/text_helper.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/action_view/helpers/text_helper.rb b/lib/action_view/helpers/text_helper.rb
+index 2ed825e..285d27d 100644
+--- a/lib/action_view/helpers/text_helper.rb
++++ b/lib/action_view/helpers/text_helper.rb
+@@ -266,7 +266,7 @@ def simple_format(text, html_options = {}, options = {})
+ content_tag(wrapper_tag, nil, html_options)
+ else
+ paragraphs.map { |paragraph|
+- content_tag(wrapper_tag, paragraph, html_options, options[:sanitize])
++ content_tag(wrapper_tag, raw(paragraph), html_options)
+ }.join("\n\n").html_safe
+ end
+ end
+--
+1.8.5.1
+
+
+From ed065b2f693e1f9ef6aa6347f53e5258b1acb1b8 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Sat, 30 Nov 2013 16:45:23 +1300
+Subject: [PATCH 4/8] Deep Munge the parameters for GET and POST
+
+The previous implementation of this functionality could be accidentally
+subverted by instantiating a raw Rack::Request before the first Rails::Request
+was constructed.
+
+Fixes CVE-2013-6417
+---
+ actionpack/lib/action_dispatch/http/request.rb | 4 ++--
+ .../test/dispatch/request/query_string_parsing_test.rb | 15 +++++++++++++++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/lib/action_dispatch/http/request.rb b/lib/action_dispatch/http/request.rb
+index ebd87c4..ba04000 100644
+--- a/lib/action_dispatch/http/request.rb
++++ b/lib/action_dispatch/http/request.rb
+@@ -271,7 +271,7 @@ def session_options=(options)
+
+ # Override Rack's GET method to support indifferent access
+ def GET
+- @env["action_dispatch.request.query_parameters"] ||= (normalize_encode_params(super) || {})
++ @env["action_dispatch.request.query_parameters"] ||= deep_munge((normalize_encode_params(super) || {}))
+ rescue TypeError => e
+ raise ActionController::BadRequest.new(:query, e)
+ end
+@@ -279,7 +279,7 @@ def GET
+
+ # Override Rack's POST method to support indifferent access
+ def POST
+- @env["action_dispatch.request.request_parameters"] ||= (normalize_encode_params(super) || {})
++ @env["action_dispatch.request.request_parameters"] ||= deep_munge((normalize_encode_params(super) || {}))
+ rescue TypeError => e
+ raise ActionController::BadRequest.new(:request, e)
+ end
+diff --git a/test/dispatch/request/query_string_parsing_test.rb b/test/dispatch/request/query_string_parsing_test.rb
+index f072a9f..0ad0dbc 100644
+--- a/test/dispatch/request/query_string_parsing_test.rb
++++ b/test/dispatch/request/query_string_parsing_test.rb
+@@ -11,6 +11,17 @@ def parse
+ head :ok
+ end
+ end
++ class EarlyParse
++ def initialize(app)
++ @app = app
++ end
++
++ def call(env)
++ # Trigger a Rack parse so that env caches the query params
++ Rack::Request.new(env).params
++ @app.call(env)
++ end
++ end
+
+ def teardown
+ TestController.last_query_parameters = nil
+@@ -131,6 +142,10 @@ def assert_parses(expected, actual)
+ set.draw do
+ get ':action', :to => ::QueryStringParsingTest::TestController
+ end
++ @app = self.class.build_app(set) do |middleware|
++ middleware.use(EarlyParse)
++ end
++
+
+ get "/parse", actual
+ assert_response :ok
+--
+1.8.5.1
+
+
+From ec16ba75a5493b9da972eea08bae630eba35b62f Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Fri, 1 Nov 2013 11:50:05 +1300
+Subject: [PATCH 5/8] Stop using i18n's built in HTML error handling.
+
+i18n doesn't depend on active support which means it can't use our html_safe
+code to do its escaping when generating the spans. Rather than try to sanitize
+the output from i18n, just revert to our old behaviour of rescuing the error
+and constructing the tag ourselves.
+
+Fixes: CVE-2013-4491
+---
+ .../lib/action_view/helpers/translation_helper.rb | 22 +++++++++-------------
+ .../test/template/translation_helper_test.rb | 2 +-
+ 2 files changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/action_view/helpers/translation_helper.rb b/lib/action_view/helpers/translation_helper.rb
+index ad8eb47..a1a2beb 100644
+--- a/lib/action_view/helpers/translation_helper.rb
++++ b/lib/action_view/helpers/translation_helper.rb
+@@ -1,24 +1,14 @@
+ require 'action_view/helpers/tag_helper'
+ require 'i18n/exceptions'
+
+-module I18n
+- class ExceptionHandler
+- include Module.new {
+- def call(exception, locale, key, options)
+- exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super
+- end
+- }
+- end
+-end
+-
+ module ActionView
+ # = Action View Translation Helpers
+ module Helpers
+ module TranslationHelper
+ # Delegates to <tt>I18n#translate</tt> but also performs three additional functions.
+ #
+- # First, it'll pass the <tt>rescue_format: :html</tt> option to I18n so that any
+- # thrown +MissingTranslation+ messages will be turned into inline spans that
++ # First, it will ensure that any thrown +MissingTranslation+ messages will be turned
++ # into inline spans that:
+ #
+ # * have a "translation-missing" class set,
+ # * contain the missing key as a title attribute and
+@@ -44,8 +34,11 @@ module TranslationHelper
+ # naming convention helps to identify translations that include HTML tags so that
+ # you know what kind of output to expect when you call translate in a template.
+ def translate(key, options = {})
+- options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
+ options[:default] = wrap_translate_defaults(options[:default]) if options[:default]
++
++ # If the user has specified rescue_format then pass it all through, otherwise use
++ # raise and do the work ourselves
++ options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format)
+ if html_safe_translation_key?(key)
+ html_safe_options = options.dup
+ options.except(*I18n::RESERVED_KEYS).each do |name, value|
+@@ -59,6 +52,9 @@ def translate(key, options = {})
+ else
+ I18n.translate(scope_key_by_partial(key), options)
+ end
++ rescue I18n::MissingTranslationData => e
++ keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
++ content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
+ end
+ alias :t :translate
+
+diff --git a/test/template/translation_helper_test.rb b/test/template/translation_helper_test.rb
+index d496dbb..0dfe47f 100644
+--- a/test/template/translation_helper_test.rb
++++ b/test/template/translation_helper_test.rb
+@@ -31,7 +31,7 @@ def setup
+ end
+
+ def test_delegates_to_i18n_setting_the_rescue_format_option_to_html
+- I18n.expects(:translate).with(:foo, :locale => 'en', :rescue_format => :html).returns("")
++ I18n.expects(:translate).with(:foo, :locale => 'en', :raise=>true).returns("")
+ translate :foo, :locale => 'en'
+ end
+
+--
+1.8.5.
+
+
More information about the scm-commits
mailing list