[DRE-commits] r5011 - in trunk/redmine/debian: . patches
Jérémy Lal
kapouer-guest at alioth.debian.org
Wed Mar 24 23:11:16 UTC 2010
Author: kapouer-guest
Date: 2010-03-24 23:11:15 +0000 (Wed, 24 Mar 2010)
New Revision: 5011
Added:
trunk/redmine/debian/patches/changeset_r3611.diff
trunk/redmine/debian/patches/changeset_r3612.diff
Modified:
trunk/redmine/debian/changelog
trunk/redmine/debian/patches/series
Log:
Some security fixes.
Modified: trunk/redmine/debian/changelog
===================================================================
--- trunk/redmine/debian/changelog 2010-03-24 14:40:29 UTC (rev 5010)
+++ trunk/redmine/debian/changelog 2010-03-24 23:11:15 UTC (rev 5011)
@@ -1,6 +1,8 @@
redmine (0.9.3-3) UNRELEASED; urgency=low
* Removes completely ineffective fcgi patch.
+ * Security fix : Escape href attribute in auto links.
+ * Security fix : Fixes permission check in QueriesController.
-- Jérémy Lal <kapouer at melix.org> Wed, 24 Mar 2010 14:02:03 +0100
Added: trunk/redmine/debian/patches/changeset_r3611.diff
===================================================================
--- trunk/redmine/debian/patches/changeset_r3611.diff (rev 0)
+++ trunk/redmine/debian/patches/changeset_r3611.diff 2010-03-24 23:11:15 UTC (rev 5011)
@@ -0,0 +1,16 @@
+Upstream security fix : Fixes permission check in QueriesController
+Author : Jean-Philippe Lang
+
+Index: trunk/app/controllers/queries_controller.rb
+===================================================================
+--- trunk/app/controllers/queries_controller.rb (revision 3610)
++++ trunk/app/controllers/queries_controller.rb (revision 3611)
+@@ -74,7 +74,7 @@
+
+ def find_optional_project
+ @project = Project.find(params[:project_id]) if params[:project_id]
+- User.current.allowed_to?(:save_queries, @project, :global => true)
++ render_403 unless User.current.allowed_to?(:save_queries, @project, :global => true)
+ rescue ActiveRecord::RecordNotFound
+ render_404
+ end
Added: trunk/redmine/debian/patches/changeset_r3612.diff
===================================================================
--- trunk/redmine/debian/patches/changeset_r3612.diff (rev 0)
+++ trunk/redmine/debian/patches/changeset_r3612.diff 2010-03-24 23:11:15 UTC (rev 5011)
@@ -0,0 +1,70 @@
+Upstream security fix : Escape href attribute in auto links
+Author : Jean-Philippe Lang
+
+--- a/test/unit/helpers/application_helper_test.rb
++++ b/test/unit/helpers/application_helper_test.rb
+@@ -59,12 +59,14 @@
+ 'sftp://foo.bar' => '<a class="external" href="sftp://foo.bar">sftp://foo.bar</a>',
+ # two exclamation marks
+ 'http://example.net/path!602815048C7B5C20!302.html' => '<a class="external" href="http://example.net/path!602815048C7B5C20!302.html">http://example.net/path!602815048C7B5C20!302.html</a>',
++ # escaping
++ 'http://foo"bar' => '<a class="external" href="http://foo"bar">http://foo"bar</a>',
+ }
+ to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
+ end
+
+ def test_auto_mailto
+- assert_equal '<p><a href="mailto:test at foo.bar" class="email">test at foo.bar</a></p>',
++ assert_equal '<p><a class="email" href="mailto:test at foo.bar">test at foo.bar</a></p>',
+ textilizable('test at foo.bar')
+ end
+
+@@ -129,6 +131,8 @@
+ "\"system administrator\":mailto:sysadmin at example.com?subject=redmine%20permissions" => "<a href=\"mailto:sysadmin at example.com?subject=redmine%20permissions\">system administrator</a>",
+ # two exclamation marks
+ '"a link":http://example.net/path!602815048C7B5C20!302.html' => '<a href="http://example.net/path!602815048C7B5C20!302.html" class="external">a link</a>',
++ # escaping
++ '"test":http://foo"bar' => '<a href="http://foo"bar" class="external">test</a>',
+ }
+ to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
+ end
+--- a/lib/redmine/wiki_formatting/textile/formatter.rb
++++ b/lib/redmine/wiki_formatting/textile/formatter.rb
+@@ -22,6 +22,7 @@
+ module WikiFormatting
+ module Textile
+ class Formatter < RedCloth3
++ include ActionView::Helpers::TagHelper
+
+ # auto_link rule after textile rules so that it doesn't break !image_url! tags
+ RULES = [:textile, :block_markdown_rule, :inline_auto_link, :inline_auto_mailto, :inline_toc, :inline_macros]
+@@ -162,7 +163,8 @@
+ url=url[0..-2] # discard closing parenth from url
+ post = ")"+post # add closing parenth to post
+ end
+- %(#{leading}<a class="external" href="#{proto=="www."?"http://www.":proto}#{url}">#{proto + url}</a>#{post})
++ tag = content_tag('a', proto + url, :href => "#{proto=="www."?"http://www.":proto}#{url}", :class => 'external')
++ %(#{leading}#{tag}#{post})
+ end
+ end
+ end
+@@ -174,7 +176,7 @@
+ if text.match(/<a\b[^>]*>(.*)(#{Regexp.escape(mail)})(.*)<\/a>/)
+ mail
+ else
+- %{<a href="mailto:#{mail}" class="email">#{mail}</a>}
++ content_tag('a', mail, :href => "mailto:#{mail}", :class => "email")
+ end
+ end
+ end
+--- a/lib/redcloth3.rb
++++ b/lib/redcloth3.rb
+@@ -818,7 +818,7 @@
+ post = ")"+post # add closing parenth to post
+ end
+ atts = pba( atts )
+- atts = " href=\"#{ url }#{ slash }\"#{ atts }"
++ atts = " href=\"#{ htmlesc url }#{ slash }\"#{ atts }"
+ atts << " title=\"#{ htmlesc title }\"" if title
+ atts = shelve( atts ) if atts
+
Modified: trunk/redmine/debian/patches/series
===================================================================
--- trunk/redmine/debian/patches/series 2010-03-24 14:40:29 UTC (rev 5010)
+++ trunk/redmine/debian/patches/series 2010-03-24 23:11:15 UTC (rev 5011)
@@ -18,3 +18,5 @@
0018-engines-rails2.2.patch
0019-no-batch_size-in-rails2.2.patch
0020-application-rb-for-rails2.2.patch
+changeset_r3611.diff
+changeset_r3612.diff
More information about the Pkg-ruby-extras-commits
mailing list