[rubygem-will_paginate/f20] Fix XSS vulnerabilities (CVE-2013-6459)
Vít Ondruch
vondruch at fedoraproject.org
Fri Jan 10 08:34:58 UTC 2014
commit 9d30639e43f56bbe9bb61ec0ac2c503cace845db
Author: Vít Ondruch <vondruch at redhat.com>
Date: Fri Jan 10 09:33:35 2014 +0100
Fix XSS vulnerabilities (CVE-2013-6459)
(add one more patch pointed out in the associated bug).
...prevent-tampering-with-host-port-protocol.patch | 70 ++++++++++++++++++++
rubygem-will_paginate.spec | 9 ++-
2 files changed, 78 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-will_paginate-3.0.5-CVE-2013-6459-prevent-tampering-with-host-port-protocol.patch b/rubygem-will_paginate-3.0.5-CVE-2013-6459-prevent-tampering-with-host-port-protocol.patch
new file mode 100644
index 0000000..f896a32
--- /dev/null
+++ b/rubygem-will_paginate-3.0.5-CVE-2013-6459-prevent-tampering-with-host-port-protocol.patch
@@ -0,0 +1,70 @@
+From c62c6f68a5e5e00a13ded984a4a3a79b41f9ce4b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mislav=20Marohni=C4=87?= <mislav.marohnic at gmail.com>
+Date: Wed, 18 Sep 2013 16:52:28 -0400
+Subject: [PATCH] prevent tampering with host, port, protocol
+
+Prevents :host, :port, :protocol settings get inherited from GET query
+parameters.
+
+Fixes #285
+---
+ lib/will_paginate/view_helpers/action_view.rb | 1 +
+ spec/view_helpers/action_view_spec.rb | 17 +++++++++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/lib/will_paginate/view_helpers/action_view.rb b/lib/will_paginate/view_helpers/action_view.rb
+index 6fa2929..0fba71e 100644
+--- a/lib/will_paginate/view_helpers/action_view.rb
++++ b/lib/will_paginate/view_helpers/action_view.rb
+@@ -106,6 +106,7 @@ def default_url_params
+ def url(page)
+ @base_url_params ||= begin
+ url_params = merge_get_params(default_url_params)
++ url_params[:only_path] = true
+ merge_optional_params(url_params)
+ end
+
+diff --git a/spec/view_helpers/action_view_spec.rb b/spec/view_helpers/action_view_spec.rb
+index bda9655..c7797db 100644
+--- a/spec/view_helpers/action_view_spec.rb
++++ b/spec/view_helpers/action_view_spec.rb
+@@ -189,6 +189,15 @@ def renderer.gap() '<span class="my-gap">~~</span>' end
+ paginate
+ assert_links_match /foo\[bar\]=baz/
+ end
++
++ it "doesn't allow tampering with host, port, protocol" do
++ request.params :host => 'disney.com', :port => '99', :protocol => 'ftp'
++ paginate
++ assert_links_match %r{^/foo/bar}
++ assert_no_links_match /disney/
++ assert_no_links_match /99/
++ assert_no_links_match /ftp/
++ end
+
+ it "should not preserve parameters on POST" do
+ request.post
+@@ -328,16 +337,16 @@ class << helper
+ include Routes.url_helpers
+ include WillPaginate::ActionView
+ end
+- helper.default_url_options[:host] = 'example.com'
+- helper.default_url_options[:controller] = 'dummy'
+- # helper.default_url_options[:only_path] = true
++ helper.default_url_options.update \
++ :only_path => true,
++ :controller => 'dummy'
+
+ collection = WillPaginate::Collection.new(2, 1, 3)
+ @render_output = helper.will_paginate(collection)
+
+ assert_select 'a[href]', 4 do |links|
+ urls = links.map {|l| l['href'] }.uniq
+- urls.should == ['http://example.com/dummy/page/1', 'http://example.com/dummy/page/3']
++ urls.should == ['/dummy/page/1', '/dummy/page/3']
+ end
+ end
+
+--
+1.8.5.1
+
diff --git a/rubygem-will_paginate.spec b/rubygem-will_paginate.spec
index d00f8a6..63ffff5 100644
--- a/rubygem-will_paginate.spec
+++ b/rubygem-will_paginate.spec
@@ -4,7 +4,7 @@
Summary: Most awesome pagination solution for Rails
Name: rubygem-%{gem_name}
Version: 3.0.4
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Development/Languages
License: MIT
URL: http://github.com/mislav/will_paginate
@@ -16,6 +16,8 @@ Patch0: rubygem-will_paginate-3.0.4-Rails-4-compat-port-named-scopes-to-n
# https://github.com/mislav/will_paginate/releases/tag/v3.0.5
# https://github.com/mislav/will_paginate/commit/4cb4986d5ce05aa84572b05cfd1c1d0aa9bc07df
Patch1: rubygem-will_paginate-3.0.5-CVE-2013-6459-always-call-html_safe-on-will_paginate-result.patch
+# https://github.com/mislav/will_paginate/commit/c62c6f68a5e5e00a13ded984a4a3a79b41f9ce4b
+Patch2: rubygem-will_paginate-3.0.5-CVE-2013-6459-prevent-tampering-with-host-port-protocol.patch
Requires: ruby(release)
Requires: ruby(rubygems)
Requires: rubygem(activerecord)
@@ -45,6 +47,7 @@ templates.
pushd .%{gem_instdir}
%patch0 -p1
%patch1 -p1
+%patch2 -p1
popd
%build
@@ -72,6 +75,10 @@ popd
%changelog
+* Fri Jan 10 2014 Vít Ondruch <vondruch at redhat.com> - 3.0.4-5
+- Fix XSS vulnerabilities (CVE-2013-6459) (add one more patch pointed out in
+ the associated bug).
+
* Thu Jan 02 2014 Vít Ondruch <vondruch at redhat.com> - 3.0.4-4
- Fix XSS vulnerabilities (CVE-2013-6459).
More information about the scm-commits
mailing list