[DRE-commits] [ruby-actionpack-3.2] 03/06: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
Ondrej Sury
ondrej at moszumanska.debian.org
Wed Dec 4 11:12:33 UTC 2013
This is an automated email from the git hooks/post-receive script.
ondrej pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.
commit 1ed8e0cfc9dd5d5d0d0a76a3613c31bccf92246a
Author: Ondřej Surý <ondrej at sury.org>
Date: Wed Dec 4 11:45:53 2013 +0100
[CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
---
debian/patches/CVE-2013-4491.patch | 62 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 63 insertions(+)
diff --git a/debian/patches/CVE-2013-4491.patch b/debian/patches/CVE-2013-4491.patch
new file mode 100644
index 0000000..3e17f44
--- /dev/null
+++ b/debian/patches/CVE-2013-4491.patch
@@ -0,0 +1,62 @@
+From 616414876d8d93f5b4be0e41d872d40e0e389ee4 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Fri, 1 Nov 2013 11:50:05 +1300
+Subject: [PATCH] Stop using i18n's built in HTML error handling.
+
+i18n doesn't depend on active support which means it can't use our html_safe
+code to do its escaping when generating the spans. Rather than try to sanitize
+the output from i18n, just revert to our old behaviour of rescuing the error
+and constructing the tag ourselves.
+
+Fixes: CVE-2013-4491
+
+--- ruby-actionpack-3.2.orig/lib/action_view/helpers/translation_helper.rb
++++ ruby-actionpack-3.2/lib/action_view/helpers/translation_helper.rb
+@@ -1,24 +1,14 @@
+ require 'action_view/helpers/tag_helper'
+ require 'i18n/exceptions'
+
+-module I18n
+- class ExceptionHandler
+- include Module.new {
+- def call(exception, locale, key, options)
+- exception.is_a?(MissingTranslation) && options[:rescue_format] == :html ? super.html_safe : super
+- end
+- }
+- end
+-end
+-
+ module ActionView
+ # = Action View Translation Helpers
+ module Helpers
+ module TranslationHelper
+ # Delegates to <tt>I18n#translate</tt> but also performs three additional functions.
+ #
+- # First, it'll pass the <tt>:rescue_format => :html</tt> option to I18n so that any
+- # thrown +MissingTranslation+ messages will be turned into inline spans that
++ # First, it will ensure that any thrown +MissingTranslation+ messages will be turned
++ # into inline spans that:
+ #
+ # * have a "translation-missing" class set,
+ # * contain the missing key as a title attribute and
+@@ -44,7 +34,9 @@ module ActionView
+ # naming convention helps to identify translations that include HTML tags so that
+ # you know what kind of output to expect when you call translate in a template.
+ def translate(key, options = {})
+- options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
++ # If the user has specified rescue_format then pass it all through, otherwise use
++ # raise and do the work ourselves
++ options[:raise] = true unless options.key?(:raise) || options.key?(:rescue_format)
+ if html_safe_translation_key?(key)
+ html_safe_options = options.dup
+ options.except(*I18n::RESERVED_KEYS).each do |name, value|
+@@ -58,6 +50,9 @@ module ActionView
+ else
+ I18n.translate(scope_key_by_partial(key), options)
+ end
++ rescue I18n::MissingTranslationData => e
++ keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
++ content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
+ end
+ alias :t :translate
+
diff --git a/debian/patches/series b/debian/patches/series
index 94fcba8..07e0d65 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,4 +4,5 @@ CVE-2012-3465.patch
CVE-2013-0155.patch
CVE-2013-1855.patch
CVE-2013-1857.patch
+CVE-2013-4491.patch
CVE-2013-6417.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list