[DRE-commits] [ruby-actionpack-3.2] 03/06: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails

Ondrej Sury ondrej at moszumanska.debian.org
Wed Dec 4 11:12:33 UTC 2013


This is an automated email from the git hooks/post-receive script.

ondrej pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.

commit 1ed8e0cfc9dd5d5d0d0a76a3613c31bccf92246a
Author: Ondřej Surý <ondrej at sury.org>
Date:   Wed Dec 4 11:45:53 2013 +0100

    [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
---
 debian/patches/CVE-2013-4491.patch | 62 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 63 insertions(+)

diff --git a/debian/patches/CVE-2013-4491.patch b/debian/patches/CVE-2013-4491.patch
new file mode 100644
index 0000000..3e17f44
--- /dev/null
+++ b/debian/patches/CVE-2013-4491.patch
@@ -0,0 +1,62 @@
+From 616414876d8d93f5b4be0e41d872d40e0e389ee4 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Fri, 1 Nov 2013 11:50:05 +1300
+Subject: [PATCH] Stop using i18n's built in HTML error handling.
+
+i18n doesn't depend on active support which means it can't use our html_safe
+code to do its escaping when generating the spans.  Rather than try to sanitize
+the output from i18n, just revert to our old behaviour of rescuing the error
+and constructing the tag ourselves.
+
+Fixes: CVE-2013-4491
+
+--- ruby-actionpack-3.2.orig/lib/action_view/helpers/translation_helper.rb
++++ ruby-actionpack-3.2/lib/action_view/helpers/translation_helper.rb
+@@ -1,24 +1,14 @@
+ require 'action_view/helpers/tag_helper'
+ require 'i18n/exceptions'
+ 
+-module I18n
+-  class ExceptionHandler
+-    include Module.new {
+-      def call(exception, locale, key, options)
+-        exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super
+-      end
+-    }
+-  end
+-end
+-
+ module ActionView
+   # = Action View Translation Helpers
+   module Helpers
+     module TranslationHelper
+       # Delegates to <tt>I18n#translate</tt> but also performs three additional functions.
+       #
+-      # First, it'll pass the <tt>:rescue_format => :html</tt> option to I18n so that any
+-      # thrown +MissingTranslation+ messages will be turned into inline spans that
++      # First, it will ensure that any thrown +MissingTranslation+ messages will be turned 
++      # into inline spans that:
+       #
+       #   * have a "translation-missing" class set,
+       #   * contain the missing key as a title attribute and
+@@ -44,7 +34,9 @@ module ActionView
+       # naming convention helps to identify translations that include HTML tags so that
+       # you know what kind of output to expect when you call translate in a template.
+       def translate(key, options = {})
+-        options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
++        # If the user has specified rescue_format then pass it all through, otherwise use
++        # raise and do the work ourselves
++        options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format)
+         if html_safe_translation_key?(key)
+           html_safe_options = options.dup
+           options.except(*I18n::RESERVED_KEYS).each do |name, value|
+@@ -58,6 +50,9 @@ module ActionView
+         else
+           I18n.translate(scope_key_by_partial(key), options)
+         end
++      rescue I18n::MissingTranslationData => e
++        keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
++        content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
+       end
+       alias :t :translate
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 94fcba8..07e0d65 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,4 +4,5 @@ CVE-2012-3465.patch
 CVE-2013-0155.patch
 CVE-2013-1855.patch
 CVE-2013-1857.patch
+CVE-2013-4491.patch
 CVE-2013-6417.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git



More information about the Pkg-ruby-extras-commits mailing list