[DRE-commits] [ruby-i18n] 02/03: added patch to fix CVE-2013-4492 in Wheezy
Jonas Genannt
jonas at brachium-system.net
Mon Dec 30 19:06:05 UTC 2013
This is an automated email from the git hooks/post-receive script.
hggh-guest pushed a commit to branch debian-wheezy
in repository ruby-i18n.
commit 554623cb524e438801191c4880179852cdfa6716
Author: Jonas Genannt <jonas at brachium-system.net>
Date: Mon Dec 30 20:05:40 2013 +0100
added patch to fix CVE-2013-4492 in Wheezy
---
debian/patches/CVE-2013-4492.patch | 61 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 62 insertions(+)
diff --git a/debian/patches/CVE-2013-4492.patch b/debian/patches/CVE-2013-4492.patch
new file mode 100644
index 0000000..b65d29a
--- /dev/null
+++ b/debian/patches/CVE-2013-4492.patch
@@ -0,0 +1,61 @@
+Description: fixes CVE-2013-4492, backported for Wheezy
+Origin: https://github.com/svenfuchs/i18n/commit/92b57b1e4f84adcdcc3a375278f299274be62445.patch
+Author: Christopher Dell <chris at tigrish.com>
+
+diff --git a/lib/i18n/exceptions.rb b/lib/i18n/exceptions.rb
+index 2f625a0..e17d432 100644
+--- a/lib/i18n/exceptions.rb
++++ b/lib/i18n/exceptions.rb
+@@ -1,3 +1,5 @@
++require 'cgi'
++
+ module I18n
+ # Handles exceptions raised in the backend. All exceptions except for
+ # MissingTranslationData exceptions are re-thrown. When a MissingTranslationData
+@@ -45,8 +47,9 @@ module I18n
+ end
+
+ def html_message
+- key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
+- %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>)
++ key = CGI.escapeHTML titleize(keys.last)
++ path = CGI.escapeHTML keys.join('.')
++ %(<span class="translation_missing" title="translation missing: #{path}">#{key}</span>)
+ end
+
+ def keys
+@@ -63,6 +66,13 @@ module I18n
+ def to_exception
+ MissingTranslationData.new(locale, key, options)
+ end
++
++ protected
++
++ # TODO : remove when #html_message is removed
++ def titleize(key)
++ key.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
++ end
+ end
+
+ include Base
+diff --git a/test/i18n/exceptions_test.rb b/test/i18n/exceptions_test.rb
+index fcc50f3..650c844 100644
+--- a/test/i18n/exceptions_test.rb
++++ b/test/i18n/exceptions_test.rb
+@@ -28,9 +28,13 @@ class I18nExceptionsTest < Test::Unit::TestCase
+ end
+
+ test "MissingTranslationData html_message is a span with the titlelized last key token" do
+- force_missing_translation_data do |exception|
+- assert_equal '<span class="translation_missing" title="translation missing: de.bar.foo">Foo</span>', exception.html_message
+- end
++ exception = I18n::MissingTranslationData.new(:de, :foo, :scope => :bar)
++ assert_equal '<span class="translation_missing" title="translation missing: de.bar.foo">Foo</span>', exception.html_message
++ end
++
++ test "MissingTranslationData html_message html escapes key names" do
++ exception = I18n::MissingTranslationData.new(:de, '<script>Evil</script>', :scope => '<iframe src="example.com" />')
++ assert_equal '<span class="translation_missing" title="translation missing: de.<iframe src="example.com" />.<script>Evil</script>"><Script>Evil</Script></span>', exception.html_message
+ end
+
+ test "ExceptionHandler returns the html_message if :rescue_format => :html was given" do
diff --git a/debian/patches/series b/debian/patches/series
index e318c3e..070c1fb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
debian-changes-0.5.0-1
0001-Skip-test-that-fails-on-1.9.patch
+CVE-2013-4492.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-i18n.git
More information about the Pkg-ruby-extras-commits
mailing list