[DRE-commits] [SCM] ruby-activemodel-3.2.git branch, master-experimental, updated. debian/3.2.6-2-17-g0484034
Ondřej Surý
ondrej at sury.org
Tue Feb 12 15:53:56 UTC 2013
The following commit has been merged in the master-experimental branch:
commit 36f064f5e16d4f98fa8bf8276379930c11092e35
Author: Ondřej Surý <ondrej at sury.org>
Date: Tue Feb 12 16:53:21 2013 +0100
Fix circumvention of attr_protected [CVE-2013-0276]
diff --git a/debian/patches/CVE-2013-0276.patch b/debian/patches/CVE-2013-0276.patch
new file mode 100644
index 0000000..fe3374a
--- /dev/null
+++ b/debian/patches/CVE-2013-0276.patch
@@ -0,0 +1,34 @@
+From 060bb7250b963609a0d8a5d0559e36b99d2402c6 Mon Sep 17 00:00:00 2001
+From: joernchen of Phenoelit <joernchen at phenoelit.de>
+Date: Sat, 9 Feb 2013 15:46:44 -0800
+Subject: [PATCH] Fix issue with attr_protected where malformed input could
+ circumvent protection
+
+Fixes: CVE-2013-0276
+---
+ activemodel/lib/active_model/attribute_methods.rb | 2 +-
+ activemodel/lib/active_model/mass_assignment_security/permission_set.rb | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/active_model/attribute_methods.rb
++++ b/lib/active_model/attribute_methods.rb
+@@ -365,7 +365,7 @@ module ActiveModel
+ end
+
+ @prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
+- @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
++ @regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
+ @method_missing_target = "#{@prefix}attribute#{@suffix}"
+ @method_name = "#{prefix}%s#{suffix}"
+ end
+--- a/lib/active_model/mass_assignment_security/permission_set.rb
++++ b/lib/active_model/mass_assignment_security/permission_set.rb
+@@ -19,7 +19,7 @@ module ActiveModel
+ protected
+
+ def remove_multiparameter_id(key)
+- key.to_s.gsub(/\(.+/, '')
++ key.to_s.gsub(/\(.+/m, '')
+ end
+ end
+
diff --git a/debian/patches/series b/debian/patches/series
index 55525fb..38dbc7b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
remove-rubygems-requirement.patch
+CVE-2013-0276.patch
--
ruby-activemodel-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list