[DRE-commits] [ruby-actionpack-3.2] 05/06: [CVE-2013-6415] XSS Vulnerability in number_to_currency

[Ondrej Sury]

This is an automated email from the git hooks/post-receive script.

ondrej pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.

commit 765f4e6765b1ddddc04a209c95f200ff741305ac
Author: Ondřej Surý <ondrej at sury.org>
Date:   Wed Dec 4 11:46:38 2013 +0100

    [CVE-2013-6415] XSS Vulnerability in number_to_currency
---
 debian/patches/CVE-2013-6415.patch | 18 ++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 19 insertions(+)

diff --git a/debian/patches/CVE-2013-6415.patch b/debian/patches/CVE-2013-6415.patch
new file mode 100644
index 0000000..0cc33d5
--- /dev/null
+++ b/debian/patches/CVE-2013-6415.patch
@@ -0,0 +1,18 @@
+From 015fab69f597de2ff909ec7a7a07f7fa0007f4d9 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Wed, 13 Nov 2013 16:14:07 +1300
+Subject: [PATCH] Escape the unit value provided to number_to_currency
+
+Fixes CVE-2013-6415
+
+--- ruby-actionpack-3.2.orig/lib/action_view/helpers/number_helper.rb
++++ ruby-actionpack-3.2/lib/action_view/helpers/number_helper.rb
+@@ -144,7 +144,7 @@ module ActionView
+ 
+         begin
+           value = number_with_precision(number, options.merge(:raise => true))
+-          format.gsub(/%n/, value).gsub(/%u/, unit).html_safe
++          format.gsub(/%n/, ERB::Util.html_escape(value)).gsub(/%u/, ERB::Util.html_escape(unit)).html_safe
+         rescue InvalidNumberError => e
+           if options[:raise]
+             raise
diff --git a/debian/patches/series b/debian/patches/series
index 4b9d9cc..0713e4d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,4 +6,5 @@ CVE-2013-1855.patch
 CVE-2013-1857.patch
 CVE-2013-4491.patch
 CVE-2013-6414.patch
+CVE-2013-6415.patch
 CVE-2013-6417.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git