[DRE-commits] r5011 - in trunk/redmine/debian: . patches

Jérémy Lal kapouer-guest at alioth.debian.org
Wed Mar 24 23:11:16 UTC 2010


Author: kapouer-guest
Date: 2010-03-24 23:11:15 +0000 (Wed, 24 Mar 2010)
New Revision: 5011

Added:
   trunk/redmine/debian/patches/changeset_r3611.diff
   trunk/redmine/debian/patches/changeset_r3612.diff
Modified:
   trunk/redmine/debian/changelog
   trunk/redmine/debian/patches/series
Log:
Some security fixes.

Modified: trunk/redmine/debian/changelog
===================================================================
--- trunk/redmine/debian/changelog	2010-03-24 14:40:29 UTC (rev 5010)
+++ trunk/redmine/debian/changelog	2010-03-24 23:11:15 UTC (rev 5011)
@@ -1,6 +1,8 @@
 redmine (0.9.3-3) UNRELEASED; urgency=low
 
   * Removes completely ineffective fcgi patch.
+  * Security fix : Escape href attribute in auto links.
+  * Security fix : Fixes permission check in QueriesController.
 
  -- Jérémy Lal <kapouer at melix.org>  Wed, 24 Mar 2010 14:02:03 +0100
 

Added: trunk/redmine/debian/patches/changeset_r3611.diff
===================================================================
--- trunk/redmine/debian/patches/changeset_r3611.diff	                        (rev 0)
+++ trunk/redmine/debian/patches/changeset_r3611.diff	2010-03-24 23:11:15 UTC (rev 5011)
@@ -0,0 +1,16 @@
+Upstream security fix : Fixes permission check in QueriesController
+Author : Jean-Philippe Lang
+
+Index: trunk/app/controllers/queries_controller.rb
+===================================================================
+--- trunk/app/controllers/queries_controller.rb	(revision 3610)
++++ trunk/app/controllers/queries_controller.rb	(revision 3611)
+@@ -74,7 +74,7 @@
+   
+   def find_optional_project
+     @project = Project.find(params[:project_id]) if params[:project_id]
+-    User.current.allowed_to?(:save_queries, @project, :global => true)
++    render_403 unless User.current.allowed_to?(:save_queries, @project, :global => true)
+   rescue ActiveRecord::RecordNotFound
+     render_404
+   end

Added: trunk/redmine/debian/patches/changeset_r3612.diff
===================================================================
--- trunk/redmine/debian/patches/changeset_r3612.diff	                        (rev 0)
+++ trunk/redmine/debian/patches/changeset_r3612.diff	2010-03-24 23:11:15 UTC (rev 5011)
@@ -0,0 +1,70 @@
+Upstream security fix : Escape href attribute in auto links
+Author : Jean-Philippe Lang
+
+--- a/test/unit/helpers/application_helper_test.rb
++++ b/test/unit/helpers/application_helper_test.rb
+@@ -59,12 +59,14 @@
+       'sftp://foo.bar' => '<a class="external" href="sftp://foo.bar">sftp://foo.bar</a>',
+       # two exclamation marks
+       'http://example.net/path!602815048C7B5C20!302.html' => '<a class="external" href="http://example.net/path!602815048C7B5C20!302.html">http://example.net/path!602815048C7B5C20!302.html</a>',
++      # escaping
++      'http://foo"bar' => '<a class="external" href="http://foo&quot;bar">http://foo"bar</a>',
+     }
+     to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
+   end
+   
+   def test_auto_mailto
+-    assert_equal '<p><a href="mailto:test at foo.bar" class="email">test at foo.bar</a></p>', 
++    assert_equal '<p><a class="email" href="mailto:test at foo.bar">test at foo.bar</a></p>', 
+       textilizable('test at foo.bar')
+   end
+   
+@@ -129,6 +131,8 @@
+       "\"system administrator\":mailto:sysadmin at example.com?subject=redmine%20permissions" => "<a href=\"mailto:sysadmin at example.com?subject=redmine%20permissions\">system administrator</a>",
+       # two exclamation marks
+       '"a link":http://example.net/path!602815048C7B5C20!302.html' => '<a href="http://example.net/path!602815048C7B5C20!302.html" class="external">a link</a>',
++      # escaping
++      '"test":http://foo"bar' => '<a href="http://foo&quot;bar" class="external">test</a>',
+     }
+     to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
+   end
+--- a/lib/redmine/wiki_formatting/textile/formatter.rb
++++ b/lib/redmine/wiki_formatting/textile/formatter.rb
+@@ -22,6 +22,7 @@
+   module WikiFormatting
+     module Textile
+       class Formatter < RedCloth3
++        include ActionView::Helpers::TagHelper
+         
+         # auto_link rule after textile rules so that it doesn't break !image_url! tags
+         RULES = [:textile, :block_markdown_rule, :inline_auto_link, :inline_auto_mailto, :inline_toc, :inline_macros]
+@@ -162,7 +163,8 @@
+                 url=url[0..-2] # discard closing parenth from url
+                 post = ")"+post # add closing parenth to post
+               end
+-              %(#{leading}<a class="external" href="#{proto=="www."?"http://www.":proto}#{url}">#{proto + url}</a>#{post})
++              tag = content_tag('a', proto + url, :href => "#{proto=="www."?"http://www.":proto}#{url}", :class => 'external')
++              %(#{leading}#{tag}#{post})
+             end
+           end
+         end
+@@ -174,7 +176,7 @@
+             if text.match(/<a\b[^>]*>(.*)(#{Regexp.escape(mail)})(.*)<\/a>/)
+               mail
+             else
+-              %{<a href="mailto:#{mail}" class="email">#{mail}</a>}
++              content_tag('a', mail, :href => "mailto:#{mail}", :class => "email")
+             end
+           end
+         end
+--- a/lib/redcloth3.rb
++++ b/lib/redcloth3.rb
+@@ -818,7 +818,7 @@
+               post = ")"+post # add closing parenth to post
+             end
+             atts = pba( atts )
+-            atts = " href=\"#{ url }#{ slash }\"#{ atts }"
++            atts = " href=\"#{ htmlesc url }#{ slash }\"#{ atts }"
+             atts << " title=\"#{ htmlesc title }\"" if title
+             atts = shelve( atts ) if atts
+             

Modified: trunk/redmine/debian/patches/series
===================================================================
--- trunk/redmine/debian/patches/series	2010-03-24 14:40:29 UTC (rev 5010)
+++ trunk/redmine/debian/patches/series	2010-03-24 23:11:15 UTC (rev 5011)
@@ -18,3 +18,5 @@
 0018-engines-rails2.2.patch
 0019-no-batch_size-in-rails2.2.patch
 0020-application-rb-for-rails2.2.patch
+changeset_r3611.diff
+changeset_r3612.diff




More information about the Pkg-ruby-extras-commits mailing list