[DRE-commits] [SCM] ruby-activeresource-2.3.git branch, master, updated. debian/2.3.14-2-4-g6a11ff5

Tue Feb 12 15:57:26 UTC 2013

The following commit has been merged in the master branch:
commit 0ffdbc2cecb68d54e37ef4c3a1237c81e6550ccf
Author: Ondřej Surý <ondrej at sury.org>
Date:   Tue Feb 12 16:56:00 2013 +0100

      * debian/patches/0003-remove-test-for-XML-YAML-parsing.patch: Backport patch
        from upstream to disable test for XML YAML parsing. XML YAML parsing has
        been removed in ruby-activesupport-2.3/2.3.14-5 to fix CVE-2013-0156.
        (Closes: #699255)

diff --git a/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch b/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch
new file mode 100644
index 0000000..5575c8e
--- /dev/null
+++ b/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch
@@ -0,0 +1,48 @@
+Description: Remove test for XML YAML parsing
+ The support for YAML parsing in XML has been removed from Active Support
+ since it introduced an security risk (CVE-2013-0156).
+Origin: backport, https://github.com/rails/activeresource/commit/a0589575
+Last-Update: 2013-02-10
+
+--- a/test/base_test.rb
++++ b/test/base_test.rb
+@@ -49,25 +49,11 @@
+                                            :children => [{:name => 'Natacha'}]},
+                                           {:name => 'Milena',
+                                            :children => []}]}]}.to_xml(:root => 'customer')
+-    # - resource with yaml array of strings; for ActiveRecords using serialize :bar, Array
+-    @marty = <<-eof.strip
+-      <?xml version=\"1.0\" encoding=\"UTF-8\"?>
+-      <person>
+-        <id type=\"integer\">5</id>
+-        <name>Marty</name>
+-        <colors type=\"yaml\">---
+-      - \"red\"
+-      - \"green\"
+-      - \"blue\"
+-      </colors>
+-      </person>
+-    eof
+ 
+     ActiveResource::HttpMock.respond_to do |mock|
+       mock.get    "/people/1.xml",                {}, @matz
+       mock.get    "/people/2.xml",                {}, @david
+       mock.get    "/people/6.json",               {}, @joe
+-      mock.get    "/people/5.xml",                {}, @marty
+       mock.get    "/people/Greg.xml",             {}, @greg
+       mock.get    "/people/4.xml",                {'key' => 'value'}, nil, 404
+       mock.put    "/people/1.xml",                {}, nil, 204
+@@ -1075,13 +1061,4 @@
+     end
+   end
+ 
+-  def test_load_yaml_array
+-    assert_nothing_raised do
+-      marty = Person.find(5)
+-      assert_equal 3, marty.colors.size
+-      marty.colors.each do |color|
+-        assert_kind_of String, color
+-      end
+-    end
+-  end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 2e1137d..f65c64b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 0001-comment_out_failing_upstream_tests.patch
 0002-require_abstract_unit_needs_test_directory.patch
+0003-remove-test-for-XML-YAML-parsing.patch

-- 
ruby-activeresource-2.3.git

