Hello community,
here is the log from the commit of package rubygem-actionpack-3_2.1539 for
openSUSE:12.3:Update checked in at 2013-04-10 22:44:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/rubygem-actionpack-3_2.1539 (Old)
and /work/SRC/openSUSE:12.3:Update/.rubygem-actionpack-3_2.1539.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-3_2.1539", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-04-05 00:01:41.916011506 +0200
+++
/work/SRC/openSUSE:12.3:Update/.rubygem-actionpack-3_2.1539.new/rubygem-actionpack-3_2.changes
2013-04-10 22:44:04.000000000 +0200
@@ -0,0 +1,164 @@
+-------------------------------------------------------------------
+Tue Apr 2 11:41:31 UTC 2013 - [email protected]
+
+- add 2 patches to fix security issues:
+ - bug-809935_3-2-css_sanitize.patch:
+ CVE-2013-1855: rubygem-actionpack*: XSS vulnerability in
+ sanitize_css in Action Pack (bnc#809935)
+ - bug-809940_3-2-sanitize_protocol.patch:
+ CVE-2013-1857: rubygem-actionpack*: XSS Vulnerability in the
+ `sanitize` helper of Ruby on Rails (bnc#809940)
+
+-------------------------------------------------------------------
+Tue Feb 12 13:38:03 UTC 2013 - [email protected]
+
+- updated to version 3.2.12, version bump
+
+-------------------------------------------------------------------
+Tue Jan 8 20:13:38 UTC 2013 - [email protected]
+
+- updated to version 3.2.11
+ * Strip nils from collections on JSON and XML posts. [CVE-2013-0155]
+
+-------------------------------------------------------------------
+Thu Jan 3 22:42:51 UTC 2013 - [email protected]
+
+- updated to version 3.2.10, version bump
+
+-------------------------------------------------------------------
+Tue Nov 13 13:56:59 UTC 2012 - [email protected]
+
+- updated to version 3.2.9
+ * Clear url helpers when reloading routes.
+ * Accept :remote as symbolic option for `link_to` helper. *Riley Lynch*
+ * Warn when the `:locals` option is passed to `assert_template` outside of
a view test case
+ Fix #3415
+ * Rename internal variables on ActionController::TemplateAssertions to
prevent
+ naming collisions. @partials, @templates and @layouts are now prefixed
with an underscore.
+ Fix #7459
+ * `resource` and `resources` don't modify the passed options hash
+ Fix #7777
+ * Precompiled assets include aliases from foo.js to foo/index.js and vice
versa.
+ # Precompiles phone-<digest>.css and aliases phone/index.css to
phone.css.
+ config.assets.precompile = [ 'phone.css' ]
+ * `assert_template` is no more passing with what ever string that matches
+ with the template name.
+ Fixes #3849.
+ * Handle `ActionDispatch::Http::UploadedFile` like
`Rack::Test::UploadedFile`, don't call to_param on it. Since
+ `Rack::Test::UploadedFile` isn't API compatible this is needed to test
file uploads that rely on `tempfile`
+ being available.
+ * Respect `config.digest = false` for `asset_path`
+ * Fix #7646, the log now displays the correct status code when an exception
is raised.
+ * Fix handling of date selects when using both disabled and discard options.
+ Fixes #7431.
+ * Fix select_tag when option_tags is nil.
+ Fixes #7404.
+ * `javascript_include_tag :all` will now not include `application.js` if
the file does not exists. *Prem Sichanugrist*
+ * Support cookie jar options (e.g., domain :all) for all session stores.
+ Fixes GH#3047, GH#2483.
+ * Performance Improvement to send_file: Avoid having to pass an open file
handle as the response body. Rack::Sendfile
+ will usually intercept the response and just uses the path directly, so
no reason to open the file. This performance
+
+-------------------------------------------------------------------
+Fri Aug 10 06:29:13 UTC 2012 - [email protected]
+
+- updated to version 3.2.8
+ * html_escape should escape single quotes.
+ * Reverted the deprecation of :confirm.
+ * Reverted the deprecation of :disable_with.
+ * Reverted the deprecation of :mouseover option to image_tag.
+ * Reverted the deprecation of button_to_function and link_to_function
helpers.
+
+-------------------------------------------------------------------
+Fri Jul 27 13:32:25 UTC 2012 - [email protected]
+
+- update to 3.2.7
+ * Do not convert digest auth strings to symbols. CVE-2012-3424
+ * Bump Journey requirements to 1.0.4
+ * Add support for optional root segments containing slashes
+ * Fixed bug creating invalid HTML in select options
+ * Show in log correct wrapped keys
+ * Fix NumberHelper options wrapping to prevent verbatim blocks being
rendered instead of line continuations.
+ * ActionController::Metal doesn't have logger method, check it and then
delegate
+ * ActionController::Caching depends on RackDelegation and
AbstractController::Callbacks
+
+-------------------------------------------------------------------
+Thu Jun 28 12:57:50 UTC 2012 - [email protected]
+
+- update to 3.2.6
+ * nil is removed from array parameter values
+ CVE-2012-2694
+ * Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'`
option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and
`submit_tag
+` helpers.
+ * Allow to use mounted_helpers (helpers for accessing mounted engines) in
ActionView::TestCase. *Piotr Sarnacki*
+ * Include mounted_helpers (helpers for accessing mounted engines) in
ActionDispatch::IntegrationTest by default. *Piotr Sarnacki*
+ * Deprecate old APIs for highlight, excerpt and word_wrap *Jeremy Walker*
+ * Deprecate `:disable_with` in favor of `'data-disable-with'` option for
`button_to`, `button_tag` and `submit_tag` helpers.
+ * Deprecate `:mouseover` option for `image_tag` helper. *Rafael Mendonça
França*
+ * Deprecate `button_to_function` and `link_to_function` helpers. *Rafael
Mendonça França*
+ * Don't break Haml with textarea newline fix. GH #393, #4000, #5190, #5191
+ * Fix options handling on labels. GH #2492, #5614
+ * Added config.action_view.embed_authenticity_token_in_remote_forms to deal
+ with regression from 16ee611fa
+ * Set rendered_format when doing render :inline. GH #5632
+ * Fix the redirect when it receive blocks with arity of 1. Closes #5677
+ * Strip [nil] from parameters hash. Thanks to Ben Murphy for
+ reporting this! CVE-2012-2660
+
+-------------------------------------------------------------------
+Mon May 14 12:17:06 UTC 2012 - [email protected]
+
+- add generic provides
+
+-------------------------------------------------------------------
+Mon Apr 23 09:03:39 UTC 2012 - [email protected]
+
+- Fix dependencies, (build)require actionpack-3_2, rack-cache-1_2
+ and activesupport-3_2 directly (instead of unversioned packages)
+
+-------------------------------------------------------------------
+Wed Apr 4 15:31:30 UTC 2012 - [email protected]
+
+- update to 3.2.3
+ * Remove the leading \n added by textarea on assert_select. *Santiago
Pastorino*
+ * Fix #5632, render :inline set the proper rendered format. *Santiago
Pastorino*
+ * Fix textarea rendering when using plugins like HAML. Such plugins encode
the first newline character in the content. This issue was introduced in
https://github.com/rails/rails/pull/5191 *James Coleman*
+ * Add `config.action_view.embed_authenticity_token_in_remote_forms`
(defaults to true) which allows to set if authenticity token will be included
by default in remote forms. If you change it to false, you can still force
authenticity token by passing `:authenticity_token => true` in form options
*Piotr Sarnacki*
+ * Do not include the authenticity token in forms where remote: true as
ajax forms use the meta-tag value *DHH*
+ * Turn off verbose mode of rack-cache, we still have X-Rack-Cache to
+ check that info. Closes #5245. *Santiago Pastorino*
+ * Fix #5238, rendered_format is not set when template is not rendered.
*Piotr Sarnacki*
+ * Upgrade rack-cache to 1.2. *José Valim*
+ * ActionController::SessionManagement is deprecated. *Santiago Pastorino*
+ * Since the router holds references to many parts of the system like
engines, controllers and the application itself, inspecting the route set can
actually be really slow, therefore we default alias inspect to to_s. *José
Valim*
+ * Add a new line after the textarea opening tag. Closes #393 *Rafael
Mendonça França*
+ * Always pass a respond block from to responder. We should let the
responder to decide what to do with the given overridden response block, and
not short circuit it. *sikachu*
+ * Fixes layout rendering regression from 3.2.2. *José Valim*
+
+ ## Rails 3.2.2 (March 1, 2012) ##
+ * Format lookup for partials is derived from the format in which the
template is being rendered. Closes #5025 part 2 *Santiago Pastorino*
+ * Use the right format when a partial is missing. Closes #5025. *Santiago
Pastorino*
+ * Default responder will now always use your overridden block in
`respond_with` to render your response. *Prem Sichanugrist*
+ * check_box helper with :disabled => true will generate a disabled hidden
field to conform with the HTML convention where disabled fields are not
submitted with the form.
+ This is a behavior change, previously the hidden tag had a value of the
disabled checkbox.
+ *Tadas Tamosauskas*
+
+-------------------------------------------------------------------
+Fri Mar 23 10:43:18 UTC 2012 - [email protected]
+
+- Spec file cleanup:
+ * Factory preparation
+
+-------------------------------------------------------------------
+Fri Jan 27 01:03:48 UTC 2012 - [email protected]
+
+- update to 3.2.1
+ * Documentation improvements.
+ * Allow `form.select` to accept ranges (regression). *Jeremy Walker*
+ * `datetime_select` works with -/+ infinity dates. *Joe Van Dyk*
+
+-------------------------------------------------------------------
+Thu Jan 26 16:37:47 UTC 2012 - [email protected]
+
+- initial package of the 3.2 branch
+
New:
----
actionpack-3.2.12.gem
bug-809935_3-2-css_sanitize.patch
bug-809940_3-2-sanitize_protocol.patch
rubygem-actionpack-3_2.changes
rubygem-actionpack-3_2.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-3_2.spec ++++++
#
# spec file for package rubygem-actionpack-3_2
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: rubygem-actionpack-3_2
Version: 3.2.12
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: ruby-macros >= 1
Requires: ruby >= 1.8.7
BuildRequires: ruby-devel >= 1.8.7
Url: http://www.rubyonrails.org
Source: %{mod_full_name}.gem
Source1: bug-809935_3-2-css_sanitize.patch
Source2: bug-809940_3-2-sanitize_protocol.patch
Summary: Web-flow and rendering framework putting the VC in MVC (part of
License: MIT
Group: Development/Languages/Ruby
%description
Web apps on Rails. Simple, battle-tested conventions for building and testing
MVC web applications. Works with any Rack-compatible server.
%package doc
Summary: RDoc documentation for %{mod_name}
Group: Development/Languages/Ruby
Requires: %{name} = %{version}
%description doc
Documentation generated at gem installation time.
Usually in RDoc and RI formats.
%prep
#gem_unpack
#if you need patches, apply them here and replace the # with a % sign in the
surrounding lines
#gem_build
%build
%install
%gem_install -f
pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version}
patch -p2 < %{S:1}
patch -p2 < %{S:2}
popd
%files
%defattr(-,root,root,-)
%{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem
%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/
%{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec
%files doc
%defattr(-,root,root,-)
%doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/
%changelog
++++++ bug-809935_3-2-css_sanitize.patch ++++++
diff --git
a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index af06bff..02eea58 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -110,8 +110,8 @@ module HTML
style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
# gauntlet
- if style !~
/^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
+ if style !~
/\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
+ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
return ''
end
@@ -122,7 +122,7 @@ module HTML
elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
unless val.split().any? do |keyword|
!allowed_css_keywords.include?(keyword) &&
- keyword !~
/^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
+ keyword !~
/\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
end
clean << prop + ': ' + val + ';'
end
++++++ bug-809940_3-2-sanitize_protocol.patch ++++++
diff --git
a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index 02eea58..994e115 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -66,7 +66,7 @@ module HTML
# A regular expression of the valid characters used to separate protocols
like
# the ':' in 'http://foo.com'
- self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/
+ self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i
# Specifies a Set of HTML attributes that can have URIs.
self.uri_attributes = Set.new(%w(href src cite action longdesc
xlink:href lowsrc))
@@ -171,7 +171,7 @@ module HTML
def contains_bad_protocols?(attr_name, value)
uri_attributes.include?(attr_name) &&
- (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ &&
!allowed_protocols.include?(value.split(protocol_separator).first.downcase))
+ (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i &&
!allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
end
end
end
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
