[DRE-commits] [SCM] ruby-actionpack-3.2.git branch, master, updated. debian/3.2.6-3-3-g95bfdc7
Antonio Terceiro
terceiro at debian.org
Fri Aug 10 17:20:01 UTC 2012
The following commit has been merged in the master branch:
commit 4b363d32470f78a5fbc32cf0ef878fe62a7d323e
Author: Antonio Terceiro <terceiro at debian.org>
Date: Fri Aug 10 13:11:11 2012 -0300
New security patches (Closes: #684454)
diff --git a/debian/changelog b/debian/changelog
index c89736f..67e7977 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high
+
+ * Add patches for security problems (Closes: #684454):
+ + CVE-2012-3463 - Ruby on Rails Potential XSS Vulnerability in select_tag
+ prompt
+ + CVE-2012-3464 - Potential XSS Vulnerability
+ + CVE-2012-3465 - XSS Vulnerability in strip_tags
+
+ -- Antonio Terceiro <terceiro at debian.org> Fri, 10 Aug 2012 13:08:08 -0300
+
ruby-actionpack-3.2 (3.2.6-3) unstable; urgency=high
* Add patch by Aaron Patterson for CVE-2012-3424 (Closes: #683370)
diff --git a/debian/patches/CVE-2012-3463.patch b/debian/patches/CVE-2012-3463.patch
new file mode 100644
index 0000000..9aa6962
--- /dev/null
+++ b/debian/patches/CVE-2012-3463.patch
@@ -0,0 +1,48 @@
+From ec30fba02d2d3a0c90dfc9a38629d2c0d55bf8c1 Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Wed, 8 Aug 2012 15:10:35 -0700
+Subject: [PATCH] escape select_tag :prompt values
+
+---
+ actionpack/lib/action_view/helpers/form_tag_helper.rb | 4 ++--
+ actionpack/test/template/form_tag_helper_test.rb | 6 ++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
+index 066b98d..9e0ec17 100644
+--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
++++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
+@@ -122,11 +122,11 @@ module ActionView
+ html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
+
+ if options.delete(:include_blank)
+- option_tags = "<option value=\"\"></option>".html_safe + option_tags
++ option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
+ end
+
+ if prompt = options.delete(:prompt)
+- option_tags = "<option value=\"\">#{prompt}</option>".html_safe + option_tags
++ option_tags = content_tag(:option, prompt, :value => '').safe_concat(option_tags)
+ end
+
+ content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
+diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
+index 68dfcee..6f0d0c3 100644
+--- a/actionpack/test/template/form_tag_helper_test.rb
++++ b/actionpack/test/template/form_tag_helper_test.rb
+@@ -208,6 +208,12 @@ class FormTagHelperTest < ActionView::TestCase
+ assert_dom_equal expected, actual
+ end
+
++ def test_select_tag_escapes_prompt
++ actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
++ expected = %(<select id="places" name="places"><option value=""><script>alert(1337)</script></option><option>Home</option><option>Work</option><option>Pub</option></select>)
++ assert_dom_equal expected, actual
++ end
++
+ def test_select_tag_with_prompt_and_include_blank
+ actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "string", :include_blank => true
+ expected = %(<select name="places" id="places"><option value="">string</option><option value=""></option><option>Home</option><option>Work</option><option>Pub</option></select>)
+--
+1.7.11.1
+
diff --git a/debian/patches/CVE-2012-3464.patch b/debian/patches/CVE-2012-3464.patch
new file mode 100644
index 0000000..235be54
--- /dev/null
+++ b/debian/patches/CVE-2012-3464.patch
@@ -0,0 +1,248 @@
+From b6ab4417720e03f1551abda2f1e4bd0a392dd04e Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Tue, 31 Jul 2012 22:25:54 -0300
+Subject: [PATCH] html_escape should escape single quotes
+
+https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
+Closes #7215
+---
+ .../test/controller/new_base/render_template_test.rb | 2 +-
+ actionpack/test/controller/render_test.rb | 4 ++--
+ actionpack/test/template/erb_util_test.rb | 12 ++++++------
+ actionpack/test/template/form_options_helper_test.rb | 2 +-
+ actionpack/test/template/form_tag_helper_test.rb | 2 +-
+ actionpack/test/template/template_test.rb | 2 +-
+ actionpack/test/template/text_helper_test.rb | 8 ++++----
+ actionpack/test/template/url_helper_test.rb | 18 +++++++++---------
+ .../active_support/core_ext/string/output_safety.rb | 6 +++---
+ activesupport/test/core_ext/string_ext_test.rb | 4 ++--
+ 10 files changed, 30 insertions(+), 30 deletions(-)
+
+diff --git a/actionpack/test/controller/new_base/render_template_test.rb b/actionpack/test/controller/new_base/render_template_test.rb
+index 156d87c..d0be4f6 100644
+--- a/actionpack/test/controller/new_base/render_template_test.rb
++++ b/actionpack/test/controller/new_base/render_template_test.rb
+@@ -126,7 +126,7 @@ module RenderTemplate
+ test "rendering a template with error properly excerts the code" do
+ get :with_error
+ assert_status 500
+- assert_match "undefined local variable or method `idontexist'", response.body
++ assert_match "undefined local variable or method `idontexist", response.body
+ end
+ end
+
+diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
+index 6bebe7e..3f047fc 100644
+--- a/actionpack/test/controller/render_test.rb
++++ b/actionpack/test/controller/render_test.rb
+@@ -186,7 +186,7 @@ class TestController < ActionController::Base
+
+ # :ported:
+ def render_text_hello_world_with_layout
+- @variable_for_layout = ", I'm here!"
++ @variable_for_layout = ", I am here!"
+ render :text => "hello world", :layout => true
+ end
+
+@@ -844,7 +844,7 @@ class RenderTest < ActionController::TestCase
+ # :ported:
+ def test_do_with_render_text_and_layout
+ get :render_text_hello_world_with_layout
+- assert_equal "<html>hello world, I'm here!</html>", @response.body
++ assert_equal "<html>hello world, I am here!</html>", @response.body
+ end
+
+ # :ported:
+diff --git a/actionpack/test/template/erb_util_test.rb b/actionpack/test/template/erb_util_test.rb
+index ca2710e..3d51024 100644
+--- a/actionpack/test/template/erb_util_test.rb
++++ b/actionpack/test/template/erb_util_test.rb
+@@ -8,11 +8,11 @@ class ErbUtilTest < ActiveSupport::TestCase
+ define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
+ assert_equal expected, html_escape(given)
+ end
++ end
+
+- unless given == '"'
+- define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
+- assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
+- end
++ ERB::Util::JSON_ESCAPE.each do |given, expected|
++ define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
++ assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
+ end
+ end
+
+@@ -40,13 +40,13 @@ class ErbUtilTest < ActiveSupport::TestCase
+
+ def test_rest_in_ascii
+ (0..127).to_a.map {|int| int.chr }.each do |chr|
+- next if chr.in?('&"<>')
++ next if chr.in?('&"<>\'')
+ assert_equal chr, html_escape(chr)
+ end
+ end
+
+ def test_html_escape_once
+- assert_equal '1 < 2 & 3', html_escape_once('1 < 2 & 3')
++ assert_equal '1 <>&"' 2 & 3', html_escape_once('1 <>&"\' 2 & 3')
+ end
+
+ def test_html_escape_once_returns_unsafe_strings_when_passed_unsafe_strings
+diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb
+index bfc7317..43d4937 100644
+--- a/actionpack/test/template/form_options_helper_test.rb
++++ b/actionpack/test/template/form_options_helper_test.rb
+@@ -1125,7 +1125,7 @@ class FormOptionsHelperTest < ActionView::TestCase
+
+ def test_options_for_select_with_element_attributes
+ assert_dom_equal(
+- "<option value=\"<Denmark>\" class=\"bold\"><Denmark></option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
++ "<option value=\"<Denmark>\" class=\"bold\"><Denmark></option>\n<option value=\"USA\" onclick=\"" + ERB::Util.html_escape("alert('Hello World');") + "\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
+ options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
+ )
+ end
+diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
+index 9afa4a2..6c791e0 100644
+--- a/actionpack/test/template/form_tag_helper_test.rb
++++ b/actionpack/test/template/form_tag_helper_test.rb
+@@ -374,7 +374,7 @@ class FormTagHelperTest < ActionView::TestCase
+
+ def test_submit_tag
+ assert_dom_equal(
+- %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
++ %(<input name='commit' data-disable-with="Saving..." onclick=") + ERB::Util.html_escape("alert('hello!')") + %(" type="submit" value="Save" />),
+ submit_tag("Save", :onclick => "alert('hello!')", :data => { :disable_with => "Saving..." })
+ )
+ end
+diff --git a/actionpack/test/template/template_test.rb b/actionpack/test/template/template_test.rb
+index 322bea3..061f5bb 100644
+--- a/actionpack/test/template/template_test.rb
++++ b/actionpack/test/template/template_test.rb
+@@ -84,7 +84,7 @@ class TestERBTemplate < ActiveSupport::TestCase
+ def test_locals
+ @template = new_template("<%= my_local %>")
+ @template.locals = [:my_local]
+- assert_equal "I'm a local", render(:my_local => "I'm a local")
++ assert_equal "I am a local", render(:my_local => "I am a local")
+ end
+
+ def test_restores_buffer
+diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
+index a3ab091..75ec1d8 100644
+--- a/actionpack/test/template/text_helper_test.rb
++++ b/actionpack/test/template/text_helper_test.rb
+@@ -107,8 +107,8 @@ class TextHelperTest < ActionView::TestCase
+ end
+
+ def test_truncate_with_link_options
+- assert_equal "Here's a long test and I...<a href=\"#\">Continue</a>",
+- truncate("Here's a long test and I need a continue to read link", :length => 27) { link_to 'Continue', '#' }
++ assert_equal "Here is a long test and ...<a href=\"#\">Continue</a>",
++ truncate("Here is a long test and I need a continue to read link", :length => 27) { link_to 'Continue', '#' }
+ end
+
+ def test_truncate_should_be_html_safe
+@@ -149,8 +149,8 @@ class TextHelperTest < ActionView::TestCase
+ end
+
+ def test_truncate_with_block_should_escape_the_block
+- assert_equal "Here's a long test and I...<script>alert('foo');</script>",
+- truncate("Here's a long test and I need a continue to read link", :length => 27) { "<script>alert('foo');</script>" }
++ assert_equal "Here is a long test and ...<script>" + ERB::Util.html_escape("alert('foo');") + "</script>",
++ truncate("Here is a long test and I need a continue to read link", :length => 27) { "<script>alert('foo');</script>" }
+ end
+
+ def test_highlight_should_be_html_safe
+diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
+index cb6f378..2c67b22 100644
+--- a/actionpack/test/template/url_helper_test.rb
++++ b/actionpack/test/template/url_helper_test.rb
+@@ -244,7 +244,7 @@ class UrlHelperTest < ActiveSupport::TestCase
+
+ def test_link_tag_with_custom_onclick
+ link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
+- expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
++ expected = %{<a href="http://www.example.com" onclick="} + ERB::Util.html_escape("alert('yay!')") + %{">Hello</a>}
+ assert_dom_equal expected, link
+ end
+
+@@ -254,12 +254,12 @@ class UrlHelperTest < ActiveSupport::TestCase
+ link_to("Hello", "http://www.example.com", :data => { :confirm => "Are you sure?" })
+ )
+ assert_dom_equal(
+- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
+- link_to("Hello", "http://www.example.com", :data => { :confirm => "You can't possibly be sure, can you?" })
++ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
++ link_to("Hello", "http://www.example.com", :data => { :confirm => "You cant possibly be sure, can you?" })
+ )
+ assert_dom_equal(
+- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
+- link_to("Hello", "http://www.example.com", :data => { :confirm => "You can't possibly be sure,\n can you?" })
++ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
++ link_to("Hello", "http://www.example.com", :data => { :confirm => "You cant possibly be sure,\n can you?" })
+ )
+ end
+
+@@ -272,14 +272,14 @@ class UrlHelperTest < ActiveSupport::TestCase
+ end
+ assert_deprecated ":confirm option is deprecated and will be removed from Rails 4.1. Use ':data => { :confirm => \'Text\' }' instead" do
+ assert_dom_equal(
+- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
+- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?")
++ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
++ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?")
+ )
+ end
+ assert_deprecated ":confirm option is deprecated and will be removed from Rails 4.1. Use ':data => { :confirm => \'Text\' }' instead" do
+ assert_dom_equal(
+- "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
+- link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?")
++ "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
++ link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?")
+ )
+ end
+ end
+diff --git a/activesupport/lib/active_support/core_ext/string/output_safety.rb b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+index 5226ff0..c17d695 100644
+--- a/activesupport/lib/active_support/core_ext/string/output_safety.rb
++++ b/activesupport/lib/active_support/core_ext/string/output_safety.rb
+@@ -3,9 +3,9 @@ require 'active_support/core_ext/kernel/singleton_class'
+
+ class ERB
+ module Util
+- HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' }
++ HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' }
+ JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+- HTML_ESCAPE_ONCE_REGEXP = /[\"><]|&(?!([a-zA-Z]+|(#\d+));)/
++ HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+));)/
+ JSON_ESCAPE_REGEXP = /[&"><]/
+
+ # A utility method for escaping HTML tag characters.
+@@ -21,7 +21,7 @@ class ERB
+ if s.html_safe?
+ s
+ else
+- s.encode(s.encoding, :xml => :attr)[1...-1].html_safe
++ s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
+ end
+ end
+
+diff --git a/activesupport/test/core_ext/string_ext_test.rb b/activesupport/test/core_ext/string_ext_test.rb
+index e5b7744..3b08ebe 100644
+--- a/activesupport/test/core_ext/string_ext_test.rb
++++ b/activesupport/test/core_ext/string_ext_test.rb
+@@ -498,8 +498,8 @@ class OutputSafetyTest < ActiveSupport::TestCase
+ end
+
+ test "ERB::Util.html_escape should escape unsafe characters" do
+- string = '<>&"'
+- expected = '<>&"'
++ string = '<>&"\''
++ expected = '<>&"''
+ assert_equal expected, ERB::Util.html_escape(string)
+ end
+
+--
+1.7.11.1
+
diff --git a/debian/patches/CVE-2012-3465.patch b/debian/patches/CVE-2012-3465.patch
new file mode 100644
index 0000000..a0cee93
--- /dev/null
+++ b/debian/patches/CVE-2012-3465.patch
@@ -0,0 +1,43 @@
+From bb98352d42d654970299450b009223968a53c6f8 Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santiago at wyeworks.com>
+Date: Wed, 8 Aug 2012 14:33:39 -0700
+Subject: [PATCH] Do not mark strip_tags result as html_safe
+
+Thanks to Marek Labos & Nethemba
+---
+ actionpack/lib/action_view/helpers/sanitize_helper.rb | 2 +-
+ actionpack/test/template/sanitize_helper_test.rb | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb
+index 7768c8c..0f6a5ed 100644
+--- a/actionpack/lib/action_view/helpers/sanitize_helper.rb
++++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb
+@@ -80,7 +80,7 @@ module ActionView
+ # strip_tags("<div id='top-bar'>Welcome to my website!</div>")
+ # # => Welcome to my website!
+ def strip_tags(html)
+- self.class.full_sanitizer.sanitize(html).try(:html_safe)
++ self.class.full_sanitizer.sanitize(html)
+ end
+
+ # Strips all link tags from +text+ leaving just the link text.
+diff --git a/actionpack/test/template/sanitize_helper_test.rb b/actionpack/test/template/sanitize_helper_test.rb
+index 222d4db..cc93b53 100644
+--- a/actionpack/test/template/sanitize_helper_test.rb
++++ b/actionpack/test/template/sanitize_helper_test.rb
+@@ -42,9 +42,9 @@ class SanitizeHelperTest < ActionView::TestCase
+ [nil, '', ' '].each do |blank|
+ stripped = strip_tags(blank)
+ assert_equal blank, stripped
+- assert stripped.html_safe? unless blank.nil?
+ end
+- assert strip_tags("<script>").html_safe?
++ assert_equal "", strip_tags("<script>")
++ assert_equal "something <img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
+ end
+
+ def test_sanitize_is_marked_safe
+--
+1.7.11.1
+
diff --git a/debian/patches/series b/debian/patches/series
index d5adff9..0da5d8d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,4 @@
CVE-2012-3424.patch
+CVE-2012-3463.patch
+CVE-2012-3464.patch
+CVE-2012-3465.patch
--
ruby-actionpack-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list