Hello community,
here is the log from the commit of package rubygem-actionpack-3_2.1539 for
openSUSE:12.2:Update checked in at 2013-04-10 22:43:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/rubygem-actionpack-3_2.1539 (Old)
and /work/SRC/openSUSE:12.2:Update/.rubygem-actionpack-3_2.1539.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-3_2.1539", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-04-05 00:01:41.916011506 +0200
+++
/work/SRC/openSUSE:12.2:Update/.rubygem-actionpack-3_2.1539.new/rubygem-actionpack-3_2.changes
2013-04-10 22:44:01.000000000 +0200
@@ -0,0 +1,157 @@
+-------------------------------------------------------------------
+Tue Apr 2 13:39:10 CEST 2013 - [email protected]
+
+- add 2 patches to fix security issues:
+ - bug-809935_3-2-css_sanitize.patch:
+ CVE-2013-1855: rubygem-actionpack*: XSS vulnerability in
+ sanitize_css in Action Pack (bnc#809935)
+ - bug-809940_3-2-sanitize_protocol.patch:
+ CVE-2013-1857: rubygem-actionpack*: XSS Vulnerability in the
+ `sanitize` helper of Ruby on Rails (bnc#809940)
+
+-------------------------------------------------------------------
+Wed Feb 13 23:16:35 UTC 2013 - [email protected]
+
+- update to version 3.2.12 (bnc#803336) CVE-2013-0276:
+ * Version bump
+
+-------------------------------------------------------------------
+Thu Jan 17 17:48:20 UTC 2013 - [email protected]
+
+- bump sprockets requires to 2.2.1
+
+-------------------------------------------------------------------
+Thu Jan 17 11:28:55 UTC 2013 - [email protected]
+
+- update to 3.2.11 (bnc#796712, bnc#797449, bnc#797452)
+ * Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
+- additional changes from 3.2.10, 3.2.9 and 3.2.8
+ The list is too long. Please see
+ /usr/lib*/ruby/gems/1.*/gems/actionpack-3.2.11/CHANGELOG.md
+
+-------------------------------------------------------------------
+Thu Aug 2 14:38:46 UTC 2012 - [email protected]
+
+- update to 3.2.7
+ - Do not convert digest auth strings to symbols. CVE-2012-3424
+ - Bump Journey requirements to 1.0.4
+ - Add support for optional root segments containing slashes
+ - Fixed bug creating invalid HTML in select options
+ - Show in log correct wrapped keys
+ - Fix NumberHelper options wrapping to prevent verbatim blocks
+ being rendered instead of line continuations.
+ - ActionController::Metal doesn't have logger method, check it
+ and then delegate
+ - ActionController::Caching depends on RackDelegation and
+ AbstractController::Callbacks
+ - nil is removed from array parameter values CVE-2012-2694
+ - Deprecate `:confirm` in favor of `':data => { :confirm =>
+ "Text" }'` option for `button_to`, `button_tag`,
+ `image_submit_tag`, `link_to` and `submit_tag` helpers.
+ *Carlos Galdino*
+ - Allow to use mounted_helpers (helpers for accessing mounted
+ engines) in ActionView::TestCase. *Piotr Sarnacki*
+ - Include mounted_helpers (helpers for accessing mounted engines)
+ in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki*
+ - Deprecate old APIs for highlight, excerpt and word_wrap *Jeremy
+ Walker*
+ - Deprecate `:disable_with` in favor of `'data-disable-with'`
+ option for `button_to`, `button_tag` and `submit_tag` helpers.
+ *Carlos Galdino + Rafael Mendonça França*
+ - Deprecate `:mouseover` option for `image_tag` helper. *Rafael
+ Mendonça França*
+ - Deprecate `button_to_function` and `link_to_function` helpers.
+ *Rafael Mendonça França*
+ - Don't break Haml with textarea newline fix. GH #393, #4000,
+ #5190, #5191
+ - Fix options handling on labels. GH #2492, #5614
+ - Added
+ config.action_view.embed_authenticity_token_in_remote_forms to
+ deal with regression from 16ee611fa
+ - Set rendered_format when doing render :inline. GH #5632
+ - Fix the redirect when it receive blocks with arity of 1. Closes
+ #5677
+ - Strip [nil] from parameters hash. Thanks to Ben Murphy for
+ reporting this! CVE-2012-2660
+
+-------------------------------------------------------------------
+Mon May 14 12:17:06 UTC 2012 - [email protected]
+
+- add generic provides
+
+-------------------------------------------------------------------
+Mon Apr 23 09:03:39 UTC 2012 - [email protected]
+
+- Fix dependencies, (build)require actionpack-3_2, rack-cache-1_2
+ and activesupport-3_2 directly (instead of unversioned packages)
+
+-------------------------------------------------------------------
+Wed Apr 4 15:31:30 UTC 2012 - [email protected]
+
+- update to 3.2.3
+ * Remove the leading \n added by textarea on assert_select.
+ *Santiago Pastorino*
+ * Fix #5632, render :inline set the proper rendered format.
+ *Santiago Pastorino*
+ * Fix textarea rendering when using plugins like HAML. Such
+ plugins encode the first newline character in the content. This
+ issue was introduced in
+ https://github.com/rails/rails/pull/5191 *James Coleman*
+ * Add
+ `config.action_view.embed_authenticity_token_in_remote_forms`
+ (defaults to true) which allows to set if authenticity token
+ will be included by default in remote forms. If you change it
+ to false, you can still force authenticity token by passing
+ `:authenticity_token => true` in form options *Piotr Sarnacki*
+ * Do not include the authenticity token in forms where remote:
+ true as ajax forms use the meta-tag value *DHH*
+ * Turn off verbose mode of rack-cache, we still have X-Rack-Cache
+ to check that info. Closes #5245. *Santiago Pastorino*
+ * Fix #5238, rendered_format is not set when template is not
+ rendered. *Piotr Sarnacki*
+ * Upgrade rack-cache to 1.2. *José Valim*
+ * ActionController::SessionManagement is deprecated.
+ *Santiago Pastorino*
+ * Since the router holds references to many parts of the system
+ like engines, controllers and the application itself,
+ inspecting the route set can actually be really slow, therefore
+ we default alias inspect to to_s. *José Valim*
+ * Add a new line after the textarea opening tag. Closes #393
+ *Rafael Mendonça França*
+ * Always pass a respond block from to responder. We should let
+ the responder to decide what to do with the given overridden
+ response block, and not short circuit it. *sikachu*
+ * Fixes layout rendering regression from 3.2.2. *José Valim*
+ ## Rails 3.2.2 (March 1, 2012) ##
+ * Format lookup for partials is derived from the format in which
+ the template is being rendered. Closes #5025 part 2 *Santiago
+ Pastorino*
+ * Use the right format when a partial is missing. Closes #5025.
+ *Santiago Pastorino*
+ * Default responder will now always use your overridden block in
+ `respond_with` to render your response. *Prem Sichanugrist*
+ * check_box helper with :disabled => true will generate a
+ disabled hidden field to conform with the HTML convention where
+ disabled fields are not submitted with the form. This is a
+ behavior change, previously the hidden tag had a value of the
+ disabled checkbox. *Tadas Tamosauskas*
+
+-------------------------------------------------------------------
+Fri Mar 23 10:43:18 UTC 2012 - [email protected]
+
+- Spec file cleanup:
+ * Factory preparation
+
+-------------------------------------------------------------------
+Fri Jan 27 01:03:48 UTC 2012 - [email protected]
+
+- update to 3.2.1
+ * Documentation improvements.
+ * Allow `form.select` to accept ranges (regression). *Jeremy Walker*
+ * `datetime_select` works with -/+ infinity dates. *Joe Van Dyk*
+
+-------------------------------------------------------------------
+Thu Jan 26 16:37:47 UTC 2012 - [email protected]
+
+- initial package of the 3.2 branch
+
New:
----
actionpack-3.2.12.gem
bug-809935_3-2-css_sanitize.patch
bug-809940_3-2-sanitize_protocol.patch
rubygem-actionpack-3_2.changes
rubygem-actionpack-3_2.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-3_2.spec ++++++
#
# spec file for package rubygem-actionpack-3_2
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: rubygem-actionpack-3_2
Version: 3.2.12
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
#
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: rubygems_with_buildroot_patch
%rubygems_requires
Requires: ruby >= 1.8.7
BuildRequires: ruby-devel >= 1.8.7
# activesupport = 3.2.12
BuildRequires: rubygem-activesupport-3_2 = 3.2.12
Requires: rubygem-activesupport-3_2 = 3.2.12
# activemodel = 3.2.12
BuildRequires: rubygem-activemodel-3_2 = 3.2.12
Requires: rubygem-activemodel-3_2 = 3.2.12
# rack-cache ~> 1.2
BuildRequires: rubygem-rack-cache-1_2 >= 1.2
Requires: rubygem-rack-cache-1_2 >= 1.2
# builder ~> 3.0.0
BuildRequires: rubygem-builder-3_0 >= 3.0.0
Requires: rubygem-builder-3_0 >= 3.0.0
# rack ~> 1.4.0
BuildRequires: rubygem-rack-1_4 >= 1.4.5
Requires: rubygem-rack-1_4 >= 1.4.5
# rack-test ~> 0.6.1
BuildRequires: rubygem-rack-test-0_6 >= 0.6.1
Requires: rubygem-rack-test-0_6 >= 0.6.1
# journey ~> 1.0.4
BuildRequires: rubygem-journey-1_0 >= 1.0.4
Requires: rubygem-journey-1_0 >= 1.0.4
# sprockets ~> 2.1.3
BuildRequires: rubygem-sprockets-2_2 >= 2.2.1
Requires: rubygem-sprockets-2_2 >= 2.2.1
# erubis ~> 2.7.0
BuildRequires: rubygem-erubis-2_7 >= 2.7.0
Requires: rubygem-erubis-2_7 >= 2.7.0
Provides: rubygem-%{mod_name} = %{version}
Provides: rubygem-%{mod_name}-3 = %{version}
#
Url: http://www.rubyonrails.org
Source: %{mod_full_name}.gem
Source1: bug-809935_3-2-css_sanitize.patch
Source2: bug-809940_3-2-sanitize_protocol.patch
#
Summary: Web-flow and rendering framework putting the VC in MVC (part of
Rails)
License: MIT
Group: Development/Languages/Ruby
%description
Web apps on Rails. Simple, battle-tested conventions for building and testing
MVC web applications. Works with any Rack-compatible server.
%package doc
Summary: RDoc documentation for %{mod_name}
Group: Development/Languages/Ruby
Requires: %{name} = %{version}
%description doc
Documentation generated at gem installation time.
Usually in RDoc and RI formats.
%prep
%build
%install
%gem_install %{S:0}
pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version}
patch -p2 < %{S:1}
patch -p2 < %{S:2}
popd
%files
%defattr(-,root,root,-)
%{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem
%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/
%{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec
%files doc
%defattr(-,root,root,-)
%doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/
%changelog
++++++ bug-809935_3-2-css_sanitize.patch ++++++
diff --git
a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index af06bff..02eea58 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -110,8 +110,8 @@ module HTML
style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
# gauntlet
- if style !~
/^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
+ if style !~
/\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
+ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
return ''
end
@@ -122,7 +122,7 @@ module HTML
elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
unless val.split().any? do |keyword|
!allowed_css_keywords.include?(keyword) &&
- keyword !~
/^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
+ keyword !~
/\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
end
clean << prop + ': ' + val + ';'
end
++++++ bug-809940_3-2-sanitize_protocol.patch ++++++
diff --git
a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index 02eea58..994e115 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -66,7 +66,7 @@ module HTML
# A regular expression of the valid characters used to separate protocols
like
# the ':' in 'http://foo.com'
- self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/
+ self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i
# Specifies a Set of HTML attributes that can have URIs.
self.uri_attributes = Set.new(%w(href src cite action longdesc
xlink:href lowsrc))
@@ -171,7 +171,7 @@ module HTML
def contains_bad_protocols?(attr_name, value)
uri_attributes.include?(attr_name) &&
- (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ &&
!allowed_protocols.include?(value.split(protocol_separator).first.downcase))
+ (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i &&
!allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
end
end
end
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
