[DRE-commits] [SCM] ruby-actionpack-2.3.git branch, master, updated. debian/2.3.14-4-6-gef6606c
Ondřej Surý
ondrej at sury.org
Tue Mar 19 08:30:31 UTC 2013
The following commit has been merged in the master branch:
commit f9134214f6c39e0e291ca98161b2e1b3474beb79
Author: Ondřej Surý <ondrej at sury.org>
Date: Tue Mar 19 09:25:57 2013 +0100
[CVE-2013-1857]: Fix XSS Vulnerability in the sanitize helper of Ruby on Rails
diff --git a/debian/patches/CVE-2013-1857.patch b/debian/patches/CVE-2013-1857.patch
new file mode 100644
index 0000000..860f9dd
--- /dev/null
+++ b/debian/patches/CVE-2013-1857.patch
@@ -0,0 +1,54 @@
+--- a/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -62,8 +62,8 @@ module HTML
+
+ # A regular expression of the valid characters used to separate protocols like
+ # the ':' in 'http://foo.com'
+- self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/
+-
++ self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i
++
+ # Specifies a Set of HTML attributes that can have URIs.
+ self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
+
+@@ -166,8 +166,8 @@ module HTML
+ end
+
+ def contains_bad_protocols?(attr_name, value)
+- uri_attributes.include?(attr_name) &&
+- (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
++ uri_attributes.include?(attr_name) &&
++ (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
+ end
+ end
+ end
+--- a/test/controller/html-scanner/sanitizer_test.rb
++++ b/test/controller/html-scanner/sanitizer_test.rb
+@@ -169,6 +169,7 @@ class SanitizerTest < ActionController::
+ %(<IMG SRC="jav
ascript:alert('XSS');">),
+ %(<IMG SRC="jav
ascript:alert('XSS');">),
+ %(<IMG SRC=" � javascript:alert('XSS');">),
++ %(<IMG SRC="javascript:alert('XSS');">),
+ %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
+ define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
+ assert_sanitized img_hack, "<img>"
+@@ -270,6 +271,19 @@ class SanitizerTest < ActionController::
+ assert_sanitized %{<a href=\"http://www.domain.com?var1=1&var2=2\">my link</a>}
+ end
+
++ def test_should_sanitize_neverending_attribute
++ assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
++ end
++
++ def test_x03a
++ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
++ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
++ assert_sanitized %(<a href="http://legit">), %(<a href="http://legit">)
++ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
++ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
++ assert_sanitized %(<a href="http://legit">), %(<a href="http://legit">)
++ end
++
+ protected
+ def assert_sanitized(input, expected = nil)
+ @sanitizer ||= HTML::WhiteListSanitizer.new
diff --git a/debian/patches/series b/debian/patches/series
index 8038e55..b5fb724 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
0002-dont_require_rubygems.patch
CVE-2012-1099.patch
CVE-2013-1855.patch
+CVE-2013-1857.patch
--
ruby-actionpack-2.3.git
More information about the Pkg-ruby-extras-commits
mailing list