[DRE-commits] [SCM] ruby-actionpack-3.2.git branch, master-experimental, updated. debian/3.2.6-4-14-g8fe61f1

Tue Jan 15 22:18:21 UTC 2013

The following commit has been merged in the master-experimental branch:
commit 56a2da91baadf4d0ea5407abcd6bbf665c82902a
Author: Ondřej Surý <ondrej at sury.org>
Date:   Fri Oct 12 12:54:30 2012 +0200

    CVEs has been merged to upstream

diff --git a/debian/patches/CVE-2012-3424.patch b/debian/patches/CVE-2012-3424.patch
deleted file mode 100644
index 8fdf1f2..0000000
--- a/debian/patches/CVE-2012-3424.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Description: Do not convert digest auth strings to symbols.
-Author: Aaron Patterson <aaron.patterson at gmail.com>
-
----
-
-Origin: upstream, https://github.com/rails/rails/commit/27311fef5efa598f281649074255834546d2b4ec
-Forwarded: not-needed
-
---- ruby-actionpack-3.2-3.2.6.orig/lib/action_controller/metal/http_authentication.rb
-+++ ruby-actionpack-3.2-3.2.6/lib/action_controller/metal/http_authentication.rb
-@@ -227,9 +227,9 @@ module ActionController
-       end
- 
-       def decode_credentials(header)
--        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
-+        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
-           key, value = pair.split('=', 2)
--          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
-+          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
-         end]
-       end
- 
diff --git a/debian/patches/CVE-2012-3463.patch b/debian/patches/CVE-2012-3463.patch
deleted file mode 100644
index 356f8d0..0000000
--- a/debian/patches/CVE-2012-3463.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From ec30fba02d2d3a0c90dfc9a38629d2c0d55bf8c1 Mon Sep 17 00:00:00 2001
-From: Santiago Pastorino <santiago at wyeworks.com>
-Date: Wed, 8 Aug 2012 15:10:35 -0700
-Subject: [PATCH] escape select_tag :prompt values
-
----
- actionpack/lib/action_view/helpers/form_tag_helper.rb | 4 ++--
- 2 files changed, 8 insertions(+), 2 deletions(-)
-
-diff --git actionpack/lib/action_view/helpers/form_tag_helper.rb actionpack/lib/action_view/helpers/form_tag_helper.rb
-index 066b98d..9e0ec17 100644
---- actionpack/lib/action_view/helpers/form_tag_helper.rb
-+++ actionpack/lib/action_view/helpers/form_tag_helper.rb
-@@ -122,11 +122,11 @@ module ActionView
-         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
- 
-         if options.delete(:include_blank)
--          option_tags = "<option value=\"\"></option>".html_safe + option_tags
-+          option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
-         end
- 
-         if prompt = options.delete(:prompt)
--          option_tags = "<option value=\"\">#{prompt}</option>".html_safe + option_tags
-+          option_tags = content_tag(:option, prompt, :value => '').safe_concat(option_tags)
-         end
- 
-         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
--- 
-1.7.11.1
-
diff --git a/debian/patches/CVE-2012-3465.patch b/debian/patches/CVE-2012-3465.patch
deleted file mode 100644
index 2d583d9..0000000
--- a/debian/patches/CVE-2012-3465.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From bb98352d42d654970299450b009223968a53c6f8 Mon Sep 17 00:00:00 2001
-From: Santiago Pastorino <santiago at wyeworks.com>
-Date: Wed, 8 Aug 2012 14:33:39 -0700
-Subject: [PATCH] Do not mark strip_tags result as html_safe
-
-Thanks to Marek Labos & Nethemba
----
- actionpack/lib/action_view/helpers/sanitize_helper.rb | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git actionpack/lib/action_view/helpers/sanitize_helper.rb actionpack/lib/action_view/helpers/sanitize_helper.rb
-index 7768c8c..0f6a5ed 100644
---- actionpack/lib/action_view/helpers/sanitize_helper.rb
-+++ actionpack/lib/action_view/helpers/sanitize_helper.rb
-@@ -80,7 +80,7 @@ module ActionView
-       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
-       #   # => Welcome to my website!
-       def strip_tags(html)
--        self.class.full_sanitizer.sanitize(html).try(:html_safe)
-+        self.class.full_sanitizer.sanitize(html)
-       end
- 
-       # Strips all link tags from +text+ leaving just the link text.
--- 
-1.7.11.1
-
diff --git a/debian/patches/series b/debian/patches/series
index 78fded1..e69de29 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +0,0 @@
-CVE-2012-3424.patch
-CVE-2012-3463.patch
-CVE-2012-3465.patch

-- 
ruby-actionpack-3.2.git

