[DRE-commits] [rails] 01/01: CVE-2016-6316: Possible XSS Vulnerability in Action View

Antonio Terceiro terceiro at moszumanska.debian.org
Mon Aug 22 17:33:26 UTC 2016


This is an automated email from the git hooks/post-receive script.

terceiro pushed a commit to branch debian/jessie
in repository rails.

commit 8330f66af5f31fa3d78304b20344943219a51364
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Mon Aug 22 13:35:36 2016 -0300

    CVE-2016-6316: Possible XSS Vulnerability in Action View
    
    Closes: Bug#834155
---
 debian/changelog                   |  8 +++++++
 debian/patches/CVE-2016-6316.patch | 45 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 54 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index aa08ba6..2e09ba0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+rails (2:4.1.8-1+deb8u3) jessie-security; urgency=high
+
+  * Security update
+  * CVE-2016-6316: Possible XSS Vulnerability in Action View
+    (Closes: Bug#834155)
+
+ -- Antonio Terceiro <terceiro at debian.org>  Mon, 22 Aug 2016 13:35:11 -0300
+
 rails (2:4.1.8-1+deb8u2) jessie-security; urgency=high
 
   * Security updates:
diff --git a/debian/patches/CVE-2016-6316.patch b/debian/patches/CVE-2016-6316.patch
new file mode 100644
index 0000000..4381974
--- /dev/null
+++ b/debian/patches/CVE-2016-6316.patch
@@ -0,0 +1,45 @@
+From: Andrew Carpenter <andrew at criticaljuncture.org>
+Date: Thu, 28 Jul 2016 16:12:21 -0700
+Subject: ensure tag/content_tag escapes " in attribute vals
+
+Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
+
+CVE-2016-6316
+
+Author: Andrew Carpenter <andrew at criticaljuncture.org>
+Backported-by: Antonio Terceiro <terceiro at debian.org>
+---
+ actionview/lib/action_view/helpers/tag_helper.rb |  2 +-
+ actionview/test/template/tag_helper_test.rb      | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+--- a/actionview/lib/action_view/helpers/tag_helper.rb
++++ b/actionview/lib/action_view/helpers/tag_helper.rb
+@@ -169,7 +169,7 @@ module ActionView
+         def tag_option(key, value, escape)
+           value = value.join(" ") if value.is_a?(Array)
+           value = ERB::Util.h(value) if escape
+-          %(#{key}="#{value}")
++          %(#{key}="#{value.gsub(/"/, '"'.freeze)}")
+         end
+     end
+   end
+--- a/actionview/test/template/tag_helper_test.rb
++++ b/actionview/test/template/tag_helper_test.rb
+@@ -116,6 +116,16 @@ class TagHelperTest < ActionView::TestCa
+     end
+   end
+ 
++  def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
++    assert_dom_equal '<p title=""">content</p>',
++      content_tag('p', "content", title: '"'.html_safe)
++  end
++
++  def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
++    assert_dom_equal '<p data-title=""">content</p>',
++      content_tag('p', "content", data: { title: '"'.html_safe })
++  end
++
+   def test_skip_invalid_escaped_attributes
+     ['&1;', '&#1dfa3;', '& #123;'].each do |escaped|
+       assert_equal %(<a href="#{escaped.gsub(/&/, '&')}" />), tag('a', :href => escaped)
diff --git a/debian/patches/series b/debian/patches/series
index 2712fbb..5ecf424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ CVE-2016-0752.patch
 CVE-2016-0753.patch
 CVE-2016-2097.patch
 CVE-2016-2098.patch
+CVE-2016-6316.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/rails.git



More information about the Pkg-ruby-extras-commits mailing list