[DRE-commits] [rails] 01/02: test script for CVE-2016-6316

[Antonio Terceiro]

This is an automated email from the git hooks/post-receive script.

terceiro pushed a commit to branch debian/jessie
in repository rails.

commit b100593f8c23289efb00d2db8603cde2e7505acf
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Tue Aug 23 16:58:52 2016 -0300

    test script for CVE-2016-6316
---
 debian/changelog           |  7 +++++++
 debian/tests/CVE-2016-6316 | 49 ++++++++++++++++++++++++++++++++++++++++++++++
 debian/tests/control       |  2 +-
 3 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 2e09ba0..2d65552 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+rails (2:4.1.8-1+deb8u4) jessie-security; urgency=high
+
+  [ Salvatore Bonaccorso ]
+  * add test script for CVE-2016-6316
+
+ -- Antonio Terceiro <terceiro at debian.org>  Tue, 23 Aug 2016 16:59:26 -0300
+
 rails (2:4.1.8-1+deb8u3) jessie-security; urgency=high
 
   * Security update
diff --git a/debian/tests/CVE-2016-6316 b/debian/tests/CVE-2016-6316
new file mode 100755
index 0000000..8fa5c62
--- /dev/null
+++ b/debian/tests/CVE-2016-6316
@@ -0,0 +1,49 @@
+# CVE-2016-6316 test
+# apt-get install ruby-test-unit
+
+require 'action_view'
+require 'action_view/helpers'
+
+include ActionView::Helpers::TagHelper
+
+require 'minitest/autorun'
+
+module ActionDispatch
+  module Assertions
+    module DomAssertions
+      # \Test two HTML strings for equivalency (e.g., identical up to reordering of attributes)
+      #
+      #   # assert that the referenced method generates the appropriate HTML string
+      #   assert_dom_equal '<a href="http://www.example.com">Apples</a>', link_to("Apples", "http://www.example.com")
+      def assert_dom_equal(expected, actual, message = nil)
+        expected_dom = HTML::Document.new(expected).root
+        actual_dom   = HTML::Document.new(actual).root
+        assert_equal expected_dom, actual_dom, message
+      end
+    end
+  end
+end
+
+include ActionDispatch::Assertions::DomAssertions
+
+class TestSimple < Minitest::Test
+
+  def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
+    assert_dom_equal '<p title=""">content</p>',
+      content_tag('p', "content", title: '"'.html_safe)
+  end
+
+  def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
+    assert_dom_equal '<p data-title=""">content</p>',
+      content_tag('p', "content", data: { title: '"'.html_safe })
+  end
+
+  def test_tag_options_accepts_symbol_option_when_not_escaping
+    assert_equal "<p value=\"symbol\" />", tag("p", { value: :symbol }, false, false)
+  end
+
+  def test_tag_options_accepts_integer_option_when_not_escaping
+    assert_equal "<p value=\"42\" />", tag("p", { value: 42 }, false, false)
+  end
+
+end
diff --git a/debian/tests/control b/debian/tests/control
index f6e3f18..a367eed 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,2 +1,2 @@
-Tests: newapp
+Tests: newapp CVE-2016-6316
 Restrictions: allow-stderr, needs-recommends

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/rails.git