[DRE-commits] [SCM] ruby-activesupport-3.2.git branch, master, updated. debian/3.2.6-4-2-g1797457
Antonio Terceiro
terceiro at debian.org
Wed Jan 9 20:42:42 UTC 2013
The following commit has been merged in the master branch:
commit 1797457e902949ce46015ffca513d54b6938f6ff
Author: Antonio Terceiro <terceiro at debian.org>
Date: Wed Jan 9 17:25:06 2013 -0300
Fix for CVE-2013-0156
diff --git a/debian/changelog b/debian/changelog
index 082c00f..33279c4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-activesupport-3.2 (3.2.6-5) unstable; urgency=high
+
+ * debian/patches/CVE-2013-0156.patch: fix for vulnerabilities in
+ vulnerabilities in parameter parsing [CVE-2013-0156] (Closes: #697790)
+
+ -- Antonio Terceiro <terceiro at debian.org> Wed, 09 Jan 2013 17:23:52 -0300
+
ruby-activesupport-3.2 (3.2.6-4) unstable; urgency=high
* debian/patches/CVE-2012-3464.patch: fixes potential XSS vulnerability.
diff --git a/debian/patches/CVE-2013-0156.patch b/debian/patches/CVE-2013-0156.patch
new file mode 100644
index 0000000..d7fcc06
--- /dev/null
+++ b/debian/patches/CVE-2013-0156.patch
@@ -0,0 +1,76 @@
+From 43109ecb986470ef023a7e91beb9812718f000fe Mon Sep 17 00:00:00 2001
+From: Jeremy Kemper <jeremy at bitsweat.net>
+Date: Sat, 5 Jan 2013 17:46:26 -0700
+Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow
+ symbols or yaml.
+
+diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb
+index 5f07bb4..b820a16 100644
+--- a/lib/active_support/core_ext/hash/conversions.rb
++++ b/lib/active_support/core_ext/hash/conversions.rb
+@@ -85,15 +85,33 @@ class Hash
+ end
+ end
+
++ class DisallowedType < StandardError #:nodoc:
++ def initialize(type)
++ super "Disallowed type attribute: #{type.inspect}"
++ end
++ end
++
++ DISALLOWED_XML_TYPES = %w(symbol yaml)
++
+ class << self
+- def from_xml(xml)
+- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)))
++ def from_xml(xml, disallowed_types = nil)
++ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types)
++ end
++
++ def from_trusted_xml(xml)
++ from_xml xml, []
+ end
+
+ private
+- def typecast_xml_value(value)
++ def typecast_xml_value(value, disallowed_types = nil)
++ disallowed_types ||= DISALLOWED_XML_TYPES
++
+ case value.class.to_s
+ when 'Hash'
++ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
++ raise DisallowedType, value['type']
++ end
++
+ if value['type'] == 'array'
+ _, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) })
+ if entries.nil? || (c = value['__content__'] && c.blank?)
+@@ -101,9 +119,9 @@ class Hash
+ else
+ case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
+ when "Array"
+- entries.collect { |v| typecast_xml_value(v) }
++ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
+ when "Hash"
+- [typecast_xml_value(entries)]
++ [typecast_xml_value(entries, disallowed_types)]
+ else
+ raise "can't typecast #{entries.inspect}"
+ end
+@@ -127,14 +145,14 @@ class Hash
+ elsif value['type'] && value.size == 1 && !value['type'].is_a?(::Hash)
+ nil
+ else
+- xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v)] }]
++ xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v, disallowed_types)] }]
+
+ # Turn { :files => { :file => #<StringIO> } into { :files => #<StringIO> } so it is compatible with
+ # how multipart uploaded files from HTML appear
+ xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
+ end
+ when 'Array'
+- value.map! { |i| typecast_xml_value(i) }
++ value.map! { |i| typecast_xml_value(i, disallowed_types) }
+ value.length > 1 ? value : value.first
+ when 'String'
+ value
diff --git a/debian/patches/series b/debian/patches/series
index cd6330b..2d3de0f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2012-3464.patch
+CVE-2013-0156.patch
--
ruby-activesupport-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list