[DRE-commits] [SCM] ruby-actionpack-3.2.git branch, master, updated. debian/3.2.6-3-3-g95bfdc7

Antonio Terceiro terceiro at debian.org
Fri Aug 10 17:20:02 UTC 2012 

The following commit has been merged in the master branch:
commit 95bfdc7ff42f78568513e4509ffc61f26ad8fcff
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Fri Aug 10 13:32:05 2012 -0300

    Fix filenames / remove test file changes
    
    (no test files in the Debian package)

diff --git a/debian/changelog b/debian/changelog
index f2636a2..1d1defa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,10 @@ ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high
     + CVE-2012-3463 - Ruby on Rails Potential XSS Vulnerability in select_tag
       prompt
     + CVE-2012-3465 - XSS Vulnerability in strip_tags
+    + Both patches were edited from their original versions in two ways:
+      - the leading a/ and b/ from the filenames were stripped
+      - changes over test files were removed, since the Debian package
+        contains no test files.
 
  -- Antonio Terceiro <terceiro at debian.org>  Fri, 10 Aug 2012 13:08:08 -0300
 
diff --git a/debian/patches/CVE-2012-3463.patch b/debian/patches/CVE-2012-3463.patch
index 9aa6962..356f8d0 100644
--- a/debian/patches/CVE-2012-3463.patch
+++ b/debian/patches/CVE-2012-3463.patch
@@ -5,13 +5,12 @@ Subject: [PATCH] escape select_tag :prompt values
 
 ---
  actionpack/lib/action_view/helpers/form_tag_helper.rb | 4 ++--
- actionpack/test/template/form_tag_helper_test.rb      | 6 ++++++
  2 files changed, 8 insertions(+), 2 deletions(-)
 
-diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
+diff --git actionpack/lib/action_view/helpers/form_tag_helper.rb actionpack/lib/action_view/helpers/form_tag_helper.rb
 index 066b98d..9e0ec17 100644
---- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
-+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
+--- actionpack/lib/action_view/helpers/form_tag_helper.rb
++++ actionpack/lib/action_view/helpers/form_tag_helper.rb
 @@ -122,11 +122,11 @@ module ActionView
          html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
  
@@ -26,23 +25,6 @@ index 066b98d..9e0ec17 100644
          end
  
          content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
-diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
-index 68dfcee..6f0d0c3 100644
---- a/actionpack/test/template/form_tag_helper_test.rb
-+++ b/actionpack/test/template/form_tag_helper_test.rb
-@@ -208,6 +208,12 @@ class FormTagHelperTest < ActionView::TestCase
-     assert_dom_equal expected, actual
-   end
- 
-+  def test_select_tag_escapes_prompt
-+    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
-+    expected = %(<select id="places" name="places"><option value=""><script>alert(1337)</script></option><option>Home</option><option>Work</option><option>Pub</option></select>)
-+    assert_dom_equal expected, actual
-+  end
-+
-   def test_select_tag_with_prompt_and_include_blank
-     actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "string", :include_blank => true
-     expected = %(<select name="places" id="places"><option value="">string</option><option value=""></option><option>Home</option><option>Work</option><option>Pub</option></select>)
 -- 
 1.7.11.1
 
diff --git a/debian/patches/CVE-2012-3465.patch b/debian/patches/CVE-2012-3465.patch
index a0cee93..2d583d9 100644
--- a/debian/patches/CVE-2012-3465.patch
+++ b/debian/patches/CVE-2012-3465.patch
@@ -6,13 +6,12 @@ Subject: [PATCH] Do not mark strip_tags result as html_safe
 Thanks to Marek Labos & Nethemba
 ---
  actionpack/lib/action_view/helpers/sanitize_helper.rb | 2 +-
- actionpack/test/template/sanitize_helper_test.rb      | 4 ++--
  2 files changed, 3 insertions(+), 3 deletions(-)
 
-diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb
+diff --git actionpack/lib/action_view/helpers/sanitize_helper.rb actionpack/lib/action_view/helpers/sanitize_helper.rb
 index 7768c8c..0f6a5ed 100644
---- a/actionpack/lib/action_view/helpers/sanitize_helper.rb
-+++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb
+--- actionpack/lib/action_view/helpers/sanitize_helper.rb
++++ actionpack/lib/action_view/helpers/sanitize_helper.rb
 @@ -80,7 +80,7 @@ module ActionView
        #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
        #   # => Welcome to my website!
@@ -22,22 +21,6 @@ index 7768c8c..0f6a5ed 100644
        end
  
        # Strips all link tags from +text+ leaving just the link text.
-diff --git a/actionpack/test/template/sanitize_helper_test.rb b/actionpack/test/template/sanitize_helper_test.rb
-index 222d4db..cc93b53 100644
---- a/actionpack/test/template/sanitize_helper_test.rb
-+++ b/actionpack/test/template/sanitize_helper_test.rb
-@@ -42,9 +42,9 @@ class SanitizeHelperTest < ActionView::TestCase
-     [nil, '', '   '].each do |blank|
-       stripped = strip_tags(blank)
-       assert_equal blank, stripped
--      assert stripped.html_safe? unless blank.nil?
-     end
--    assert strip_tags("<script>").html_safe?
-+    assert_equal "", strip_tags("<script>")
-+    assert_equal "something <img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
-   end
- 
-   def test_sanitize_is_marked_safe
 -- 
 1.7.11.1
 

-- 
ruby-actionpack-3.2.git

More information about the Pkg-ruby-extras-commits mailing list