[DRE-commits] [SCM] ruby-actionpack-3.2.git branch, master, updated. debian/3.2.6-5-3-gd0aa6fa

[Ondřej Surý]

The following commit has been merged in the master branch:
commit f75a049d56833970cf5cc8ef464475e6912fcdf2
Author: Ondřej Surý <ondrej at sury.org>
Date:   Tue Mar 19 09:44:57 2013 +0100

    [CVE-2013-1857]: Fix XSS Vulnerability in the sanitize helper of Ruby on Rails

diff --git a/debian/patches/CVE-2013-1857.patch b/debian/patches/CVE-2013-1857.patch
new file mode 100644
index 0000000..f9fe8ce
--- /dev/null
+++ b/debian/patches/CVE-2013-1857.patch
@@ -0,0 +1,20 @@
+--- a/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -66,7 +66,7 @@ module HTML
+ 
+     # A regular expression of the valid characters used to separate protocols like
+     # the ':' in 'http://foo.com'
+-    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(%|%)3A/
++    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i
+ 
+     # Specifies a Set of HTML attributes that can have URIs.
+     self.uri_attributes         = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
+@@ -171,7 +171,7 @@ module HTML
+ 
+     def contains_bad_protocols?(attr_name, value)
+       uri_attributes.include?(attr_name) &&
+-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
++      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
+     end
+   end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index e19f070..0d32017 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ CVE-2012-3463.patch
 CVE-2012-3465.patch
 CVE-2013-0155.patch
 CVE-2013-1855.patch
+CVE-2013-1857.patch

-- 
ruby-actionpack-3.2.git