[DRE-commits] [ruby-redcloth] 02/03: block javascript: links (Closes: #774748 [CVE-2012-6684])

Sat Feb 21 14:16:41 UTC 2015

This is an automated email from the git hooks/post-receive script.

terceiro pushed a commit to branch master
in repository ruby-redcloth.

commit 79f853cbacf0eac98baa00be9d1db66ab7b80a27
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Sat Feb 7 23:30:47 2015 -0200

    block javascript: links (Closes: #774748 [CVE-2012-6684])
---
 debian/changelog                                   |  6 ++-
 ...javascript-links-when-using-filter_html-o.patch | 53 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index af11040..32986bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,12 @@
-ruby-redcloth (4.2.9-4) UNRELEASED; urgency=medium
+ruby-redcloth (4.2.9-4) unstable; urgency=medium
 
   * Team upload.
   * debian/ruby-tests.rb → debian/ruby-tests.rake: fix recipe to run tests
     during build.
+  * 0001-Filter-out-javascript-links-when-using-filter_html-o.patch:
+    - block javascript: links Closes: #774748 [CVE-2012-6684]
 
- -- Antonio Terceiro <terceiro at debian.org>  Sat, 07 Feb 2015 20:54:29 -0200
+ -- Antonio Terceiro <terceiro at debian.org>  Sat, 07 Feb 2015 23:30:26 -0200
 
 ruby-redcloth (4.2.9-3) unstable; urgency=medium
 
diff --git a/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch b/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch
new file mode 100644
index 0000000..ddd1a9f
--- /dev/null
+++ b/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch
@@ -0,0 +1,53 @@
+From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001
+From: Antonio Terceiro <terceiro at debian.org>
+Date: Sat, 7 Feb 2015 23:27:39 -0200
+Subject: [PATCH] Filter out 'javascript:' links when using filter_html or
+ sanitize_html
+
+This is a fix for CVE-2012-6684
+---
+ lib/redcloth/formatters/html.rb     |  6 +++++-
+ spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 spec/security/CVE-2012-6684_spec.rb
+
+diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
+index bfadfb7..b8793b2 100644
+--- a/lib/redcloth/formatters/html.rb
++++ b/lib/redcloth/formatters/html.rb
+@@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML
+   end
+   
+   def link(opts)
+-    "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
++    if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
++      opts[:name]
++    else
++      "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
++    end
+   end
+   
+   def image(opts)
+diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
+new file mode 100644
+index 0000000..05219fd
+--- /dev/null
++++ b/spec/security/CVE-2012-6684_spec.rb
+@@ -0,0 +1,14 @@
++# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684
++
++require 'redcloth'
++
++describe 'CVE-2012-6684' do
++
++  it 'should not let javascript links pass through' do
++    # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
++    output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
++    expect(output).to_not match(/href=.javascript:alert/)
++  end
++
++
++end
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index fb58cc7..8cc0ce7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-restore-extconf.rb.patch
+0001-Filter-out-javascript-links-when-using-filter_html-o.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-redcloth.git

