[DRE-commits] [ruby-redcloth] 01/03: filter javascript: links when proper HTML sanitization options

Sat Feb 21 14:25:05 UTC 2015

This is an automated email from the git hooks/post-receive script.

terceiro pushed a commit to annotated tag debian/4.2.9-2+deb7u1
in repository ruby-redcloth.

commit 9bd21af8c829238ef035bf07b659eacd8241303e
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Sat Feb 7 23:39:11 2015 -0200

    filter javascript: links when proper HTML sanitization options
    
    Closes: #774748 [CVE-2012-6684]
---
 debian/changelog                                   |  9 ++++
 ...javascript-links-when-using-filter_html-o.patch | 53 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 63 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2975f99..14b01db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ruby-redcloth (4.2.9-2.1) wheezy-security; urgency=medium
+
+  * Team upload.
+  * 0001-Filter-out-javascript-links-when-using-filter_html-o.patch:
+    filter javascript: links when proper HTML sanitization options are turned
+    on (Closes: #774748 [CVE-2012-6684])
+
+ -- Antonio Terceiro <terceiro at debian.org>  Sat, 07 Feb 2015 23:35:43 -0200
+
 ruby-redcloth (4.2.9-2) unstable; urgency=low
 
   * Team upload.
diff --git a/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch b/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch
new file mode 100644
index 0000000..ddd1a9f
--- /dev/null
+++ b/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch
@@ -0,0 +1,53 @@
+From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001
+From: Antonio Terceiro <terceiro at debian.org>
+Date: Sat, 7 Feb 2015 23:27:39 -0200
+Subject: [PATCH] Filter out 'javascript:' links when using filter_html or
+ sanitize_html
+
+This is a fix for CVE-2012-6684
+---
+ lib/redcloth/formatters/html.rb     |  6 +++++-
+ spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 spec/security/CVE-2012-6684_spec.rb
+
+diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
+index bfadfb7..b8793b2 100644
+--- a/lib/redcloth/formatters/html.rb
++++ b/lib/redcloth/formatters/html.rb
+@@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML
+   end
+   
+   def link(opts)
+-    "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
++    if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
++      opts[:name]
++    else
++      "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
++    end
+   end
+   
+   def image(opts)
+diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
+new file mode 100644
+index 0000000..05219fd
+--- /dev/null
++++ b/spec/security/CVE-2012-6684_spec.rb
+@@ -0,0 +1,14 @@
++# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684
++
++require 'redcloth'
++
++describe 'CVE-2012-6684' do
++
++  it 'should not let javascript links pass through' do
++    # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
++    output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
++    expect(output).to_not match(/href=.javascript:alert/)
++  end
++
++
++end
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index fb58cc7..8cc0ce7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-restore-extconf.rb.patch
+0001-Filter-out-javascript-links-when-using-filter_html-o.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-redcloth.git

