[rubygem-will_paginate/f20] Fix XSS vulnerabilities (CVE-2013-6459)

Fri Jan 10 08:34:58 UTC 2014

commit 9d30639e43f56bbe9bb61ec0ac2c503cace845db
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Fri Jan 10 09:33:35 2014 +0100

    Fix XSS vulnerabilities (CVE-2013-6459)
    
    (add one more patch pointed out in the associated bug).

 ...prevent-tampering-with-host-port-protocol.patch |   70 ++++++++++++++++++++
 rubygem-will_paginate.spec                         |    9 ++-
 2 files changed, 78 insertions(+), 1 deletions(-)
---

diff --git a/rubygem-will_paginate-3.0.5-CVE-2013-6459-prevent-tampering-with-host-port-protocol.patch b/rubygem-will_paginate-3.0.5-CVE-2013-6459-prevent-tampering-with-host-port-protocol.patch
new file mode 100644
index 0000000..f896a32
--- /dev/null
+++ b/rubygem-will_paginate-3.0.5-CVE-2013-6459-prevent-tampering-with-host-port-protocol.patch
@@ -0,0 +1,70 @@
+From c62c6f68a5e5e00a13ded984a4a3a79b41f9ce4b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mislav=20Marohni=C4=87?= <mislav.marohnic at gmail.com>
+Date: Wed, 18 Sep 2013 16:52:28 -0400
+Subject: [PATCH] prevent tampering with host, port, protocol
+
+Prevents :host, :port, :protocol settings get inherited from GET query
+parameters.
+
+Fixes #285
+---
+ lib/will_paginate/view_helpers/action_view.rb |  1 +
+ spec/view_helpers/action_view_spec.rb         | 17 +++++++++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/lib/will_paginate/view_helpers/action_view.rb b/lib/will_paginate/view_helpers/action_view.rb
+index 6fa2929..0fba71e 100644
+--- a/lib/will_paginate/view_helpers/action_view.rb
++++ b/lib/will_paginate/view_helpers/action_view.rb
+@@ -106,6 +106,7 @@ def default_url_params
+       def url(page)
+         @base_url_params ||= begin
+           url_params = merge_get_params(default_url_params)
++          url_params[:only_path] = true
+           merge_optional_params(url_params)
+         end
+ 
+diff --git a/spec/view_helpers/action_view_spec.rb b/spec/view_helpers/action_view_spec.rb
+index bda9655..c7797db 100644
+--- a/spec/view_helpers/action_view_spec.rb
++++ b/spec/view_helpers/action_view_spec.rb
+@@ -189,6 +189,15 @@ def renderer.gap() '<span class="my-gap">~~</span>' end
+     paginate
+     assert_links_match /foo\[bar\]=baz/
+   end
++
++  it "doesn't allow tampering with host, port, protocol" do
++    request.params :host => 'disney.com', :port => '99', :protocol => 'ftp'
++    paginate
++    assert_links_match %r{^/foo/bar}
++    assert_no_links_match /disney/
++    assert_no_links_match /99/
++    assert_no_links_match /ftp/
++  end
+   
+   it "should not preserve parameters on POST" do
+     request.post
+@@ -328,16 +337,16 @@ class << helper
+       include Routes.url_helpers
+       include WillPaginate::ActionView
+     end
+-    helper.default_url_options[:host] = 'example.com'
+-    helper.default_url_options[:controller] = 'dummy'
+-    # helper.default_url_options[:only_path] = true
++    helper.default_url_options.update \
++      :only_path => true,
++      :controller => 'dummy'
+ 
+     collection = WillPaginate::Collection.new(2, 1, 3)
+     @render_output = helper.will_paginate(collection)
+ 
+     assert_select 'a[href]', 4 do |links|
+       urls = links.map {|l| l['href'] }.uniq
+-      urls.should == ['http://example.com/dummy/page/1', 'http://example.com/dummy/page/3']
++      urls.should == ['/dummy/page/1', '/dummy/page/3']
+     end
+   end
+ 
+-- 
+1.8.5.1
+
diff --git a/rubygem-will_paginate.spec b/rubygem-will_paginate.spec
index d00f8a6..63ffff5 100644
--- a/rubygem-will_paginate.spec
+++ b/rubygem-will_paginate.spec
@@ -4,7 +4,7 @@
 Summary:       Most awesome pagination solution for Rails
 Name:          rubygem-%{gem_name}
 Version:       3.0.4
-Release:       4%{?dist}
+Release:       5%{?dist}
 Group:         Development/Languages
 License:       MIT
 URL:           http://github.com/mislav/will_paginate
@@ -16,6 +16,8 @@ Patch0:        rubygem-will_paginate-3.0.4-Rails-4-compat-port-named-scopes-to-n
 # https://github.com/mislav/will_paginate/releases/tag/v3.0.5
 # https://github.com/mislav/will_paginate/commit/4cb4986d5ce05aa84572b05cfd1c1d0aa9bc07df
 Patch1:        rubygem-will_paginate-3.0.5-CVE-2013-6459-always-call-html_safe-on-will_paginate-result.patch
+# https://github.com/mislav/will_paginate/commit/c62c6f68a5e5e00a13ded984a4a3a79b41f9ce4b
+Patch2:        rubygem-will_paginate-3.0.5-CVE-2013-6459-prevent-tampering-with-host-port-protocol.patch
 Requires:      ruby(release)
 Requires:      ruby(rubygems)
 Requires:      rubygem(activerecord)
@@ -45,6 +47,7 @@ templates.
 pushd .%{gem_instdir}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 popd
 
 %build
@@ -72,6 +75,10 @@ popd
 
 
 %changelog
+* Fri Jan 10 2014 Vít Ondruch <vondruch at redhat.com> - 3.0.4-5
+- Fix XSS vulnerabilities (CVE-2013-6459) (add one more patch pointed out in
+  the associated bug).
+
 * Thu Jan 02 2014 Vít Ondruch <vondruch at redhat.com> - 3.0.4-4
 - Fix XSS vulnerabilities (CVE-2013-6459).
 
