[DRE-commits] [SCM] ruby-actionpack-2.3.git branch, master, updated. debian/2.3.14-4-6-gef6606c

Tue Mar 19 08:30:30 UTC 2013

The following commit has been merged in the master branch:
commit 5f64c441ece58b14063caa6378f13900593e9e78
Author: Ondřej Surý <ondrej at sury.org>
Date:   Tue Mar 19 09:24:30 2013 +0100

    [CVE-2013-1855]: Fix XSS vulnerability in sanitize_css in Action Pack

diff --git a/debian/patches/CVE-2013-1855.patch b/debian/patches/CVE-2013-1855.patch
new file mode 100644
index 0000000..667c9bf
--- /dev/null
+++ b/debian/patches/CVE-2013-1855.patch
@@ -0,0 +1,38 @@
+--- a/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -106,8 +106,8 @@ module HTML
+       style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
+ 
+       # gauntlet
+-      if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
+-          style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
++      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
++          style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
+         return ''
+       end
+ 
+@@ -117,8 +117,8 @@ module HTML
+           clean <<  prop + ': ' + val + ';'
+         elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
+           unless val.split().any? do |keyword|
+-            !allowed_css_keywords.include?(keyword) && 
+-              keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
++            !allowed_css_keywords.include?(keyword) &&
++              keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+           end
+             clean << prop + ': ' + val + ';'
+           end
+--- a/test/controller/html-scanner/sanitizer_test.rb
++++ b/test/controller/html-scanner/sanitizer_test.rb
+@@ -249,6 +249,11 @@ class SanitizerTest < ActionController::
+     assert_equal '', sanitize_css(raw)
+   end
+ 
++  def test_should_sanitize_across_newlines
++    raw = %(\nwidth:\nexpression(alert('XSS'));\n)
++    assert_equal '', sanitize_css(raw)
++  end
++
+   def test_should_sanitize_img_vbscript
+     assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
+   end
diff --git a/debian/patches/series b/debian/patches/series
index 63046cc..8038e55 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0001-use_system_activesupport.patch
 0002-dont_require_rubygems.patch
 CVE-2012-1099.patch
+CVE-2013-1855.patch

-- 
ruby-actionpack-2.3.git

