[DRE-commits] [rails] 01/02: test script for CVE-2016-6316
Antonio Terceiro
terceiro at moszumanska.debian.org
Tue Aug 23 20:18:31 UTC 2016
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch debian/jessie
in repository rails.
commit b100593f8c23289efb00d2db8603cde2e7505acf
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Tue Aug 23 16:58:52 2016 -0300
test script for CVE-2016-6316
---
debian/changelog | 7 +++++++
debian/tests/CVE-2016-6316 | 49 ++++++++++++++++++++++++++++++++++++++++++++++
debian/tests/control | 2 +-
3 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 2e09ba0..2d65552 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+rails (2:4.1.8-1+deb8u4) jessie-security; urgency=high
+
+ [ Salvatore Bonaccorso ]
+ * add test script for CVE-2016-6316
+
+ -- Antonio Terceiro <terceiro at debian.org> Tue, 23 Aug 2016 16:59:26 -0300
+
rails (2:4.1.8-1+deb8u3) jessie-security; urgency=high
* Security update
diff --git a/debian/tests/CVE-2016-6316 b/debian/tests/CVE-2016-6316
new file mode 100755
index 0000000..8fa5c62
--- /dev/null
+++ b/debian/tests/CVE-2016-6316
@@ -0,0 +1,49 @@
+# CVE-2016-6316 test
+# apt-get install ruby-test-unit
+
+require 'action_view'
+require 'action_view/helpers'
+
+include ActionView::Helpers::TagHelper
+
+require 'minitest/autorun'
+
+module ActionDispatch
+ module Assertions
+ module DomAssertions
+ # \Test two HTML strings for equivalency (e.g., identical up to reordering of attributes)
+ #
+ # # assert that the referenced method generates the appropriate HTML string
+ # assert_dom_equal '<a href="http://www.example.com">Apples</a>', link_to("Apples", "http://www.example.com")
+ def assert_dom_equal(expected, actual, message = nil)
+ expected_dom = HTML::Document.new(expected).root
+ actual_dom = HTML::Document.new(actual).root
+ assert_equal expected_dom, actual_dom, message
+ end
+ end
+ end
+end
+
+include ActionDispatch::Assertions::DomAssertions
+
+class TestSimple < Minitest::Test
+
+ def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
+ assert_dom_equal '<p title=""">content</p>',
+ content_tag('p', "content", title: '"'.html_safe)
+ end
+
+ def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
+ assert_dom_equal '<p data-title=""">content</p>',
+ content_tag('p', "content", data: { title: '"'.html_safe })
+ end
+
+ def test_tag_options_accepts_symbol_option_when_not_escaping
+ assert_equal "<p value=\"symbol\" />", tag("p", { value: :symbol }, false, false)
+ end
+
+ def test_tag_options_accepts_integer_option_when_not_escaping
+ assert_equal "<p value=\"42\" />", tag("p", { value: 42 }, false, false)
+ end
+
+end
diff --git a/debian/tests/control b/debian/tests/control
index f6e3f18..a367eed 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,2 +1,2 @@
-Tests: newapp
+Tests: newapp CVE-2016-6316
Restrictions: allow-stderr, needs-recommends
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/rails.git
More information about the Pkg-ruby-extras-commits
mailing list