[DRE-commits] [SCM] ruby-actionpack-2.3.git branch, master, updated. debian/2.3.14-2-2-gdd44dbd

Wed Apr 25 13:27:02 UTC 2012

The following commit has been merged in the master branch:
commit 67cc390abf6d8f2b6a3421c13ca773f8c2647604
Author: Ondřej Surý <ondrej at sury.org>
Date:   Fri Apr 13 15:39:25 2012 +0200

    Fix vulnerability for users that generate their own options tags for use with the select helper in Ruby On Rails [CVE-2012-1099] (Closes: #668607)

diff --git a/debian/patches/CVE-2012-1099.patch b/debian/patches/CVE-2012-1099.patch
new file mode 100644
index 0000000..82b29a3
--- /dev/null
+++ b/debian/patches/CVE-2012-1099.patch
@@ -0,0 +1,49 @@
+--- a/lib/action_view/helpers/form_options_helper.rb
++++ b/lib/action_view/helpers/form_options_helper.rb
+@@ -1,3 +1,4 @@
++# -*- coding: utf-8 -*-
+ require 'cgi'
+ require 'erb'
+ require 'action_view/helpers/form_helper'
+@@ -568,13 +569,13 @@ module ActionView
+       private
+         def add_options(option_tags, options, value = nil)
+           if options[:include_blank]
+-            option_tags = "<option value=\"\">#{options[:include_blank] if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
++            option_tags = content_tag('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags
+           end
+           if value.blank? && options[:prompt]
+             prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('support.select.prompt', :default => 'Please select')
+-            option_tags = "<option value=\"\">#{prompt}</option>\n" + option_tags
++            option_tags = content_tag('option', prompt, :value => '') + "\n" + option_tags
+           end
+-          option_tags.html_safe
++          option_tags
+         end
+     end
+ 
+--- a/test/template/form_options_helper_test.rb
++++ b/test/template/form_options_helper_test.rb
+@@ -338,7 +338,7 @@ class FormOptionsHelperTest < ActionView
+ 
+   def test_select_under_fields_for_with_string_and_given_prompt
+     @post = Post.new
+-    options = "<option value=\"abe\">abe</option><option value=\"mus\">mus</option><option value=\"hest\">hest</option>"
++    options = "<option value=\"abe\">abe</option><option value=\"mus\">mus</option><option value=\"hest\">hest</option>".html_safe
+ 
+     fields_for :post, @post do |f|
+       concat f.select(:category, options, :prompt => 'The prompt')
+@@ -425,6 +425,13 @@ class FormOptionsHelperTest < ActionView
+     )
+   end
+ 
++  def test_select_escapes_options
++    assert_dom_equal(
++      '<select id="post_title" name="post[title]"><script>alert(1)</script></select>',
++      select('post', 'title', '<script>alert(1)</script>')
++    )
++  end
++
+   def test_select_with_selected_nil
+     @post = Post.new
+     @post.category = "<mus>"
diff --git a/debian/patches/series b/debian/patches/series
index bb37496..63046cc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 0001-use_system_activesupport.patch
 0002-dont_require_rubygems.patch
+CVE-2012-1099.patch

-- 
ruby-actionpack-2.3.git

