[DRE-commits] [SCM] ruby-actionpack-2.3.git branch, master, updated. debian/2.3.14-4-6-gef6606c
Ondřej Surý
ondrej at sury.org
Tue Mar 19 08:30:30 UTC 2013
The following commit has been merged in the master branch:
commit 5f64c441ece58b14063caa6378f13900593e9e78
Author: Ondřej Surý <ondrej at sury.org>
Date: Tue Mar 19 09:24:30 2013 +0100
[CVE-2013-1855]: Fix XSS vulnerability in sanitize_css in Action Pack
diff --git a/debian/patches/CVE-2013-1855.patch b/debian/patches/CVE-2013-1855.patch
new file mode 100644
index 0000000..667c9bf
--- /dev/null
+++ b/debian/patches/CVE-2013-1855.patch
@@ -0,0 +1,38 @@
+--- a/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -106,8 +106,8 @@ module HTML
+ style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
+
+ # gauntlet
+- if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
+- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
++ if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
++ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
+ return ''
+ end
+
+@@ -117,8 +117,8 @@ module HTML
+ clean << prop + ': ' + val + ';'
+ elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
+ unless val.split().any? do |keyword|
+- !allowed_css_keywords.include?(keyword) &&
+- keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
++ !allowed_css_keywords.include?(keyword) &&
++ keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+ end
+ clean << prop + ': ' + val + ';'
+ end
+--- a/test/controller/html-scanner/sanitizer_test.rb
++++ b/test/controller/html-scanner/sanitizer_test.rb
+@@ -249,6 +249,11 @@ class SanitizerTest < ActionController::
+ assert_equal '', sanitize_css(raw)
+ end
+
++ def test_should_sanitize_across_newlines
++ raw = %(\nwidth:\nexpression(alert('XSS'));\n)
++ assert_equal '', sanitize_css(raw)
++ end
++
+ def test_should_sanitize_img_vbscript
+ assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 63046cc..8038e55 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
0001-use_system_activesupport.patch
0002-dont_require_rubygems.patch
CVE-2012-1099.patch
+CVE-2013-1855.patch
--
ruby-actionpack-2.3.git
More information about the Pkg-ruby-extras-commits
mailing list