Hello community,
here is the log from the commit of package rubygem-actionpack-2_3.2359 for
openSUSE:12.2:Update checked in at 2013-12-18 13:57:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/rubygem-actionpack-2_3.2359 (Old)
and /work/SRC/openSUSE:12.2:Update/.rubygem-actionpack-2_3.2359.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionpack-2_3.2359"
Changes:
--------
New Changes file:
--- /dev/null 2013-11-25 01:44:08.036031256 +0100
+++
/work/SRC/openSUSE:12.2:Update/.rubygem-actionpack-2_3.2359.new/rubygem-actionpack-2_3.changes
2013-12-18 13:57:53.000000000 +0100
@@ -0,0 +1,189 @@
+-------------------------------------------------------------------
+Tue Dec 10 16:08:05 UTC 2013 - [email protected]
+
+- fix CVE-2013-6415: rubygem-actionpack: number_to_currency XSS
+ (bnc#853632). File CVE-2013-6415.patch contains the patch.
+
+-------------------------------------------------------------------
+Tue Apr 2 11:35:27 UTC 2013 - [email protected]
+
+- add 2 patches to fix security issues:
+ - bug-809935_2-3-css_sanitize.patch:
+ CVE-2013-1855: rubygem-actionpack*: XSS vulnerability in
+ sanitize_css in Action Pack (bnc#809935)
+ - bug-809940_2-3-sanitize_protocol.patch:
+ CVE-2013-1857: rubygem-actionpack*: XSS Vulnerability in the
+ `sanitize` helper of Ruby on Rails (bnc#809940)
+
+-------------------------------------------------------------------
+Wed Feb 13 23:15:03 UTC 2013 - [email protected]
+
+- update to version 2.3.17 (bnc#803336, bnc#803339)
+ CVE-2013-0276 CVE-2013-0277:
+ - testsuite updates for the active support single quote change
+
+-------------------------------------------------------------------
+Wed Jan 30 16:21:57 UTC 2013 - [email protected]
+
+- update to 2.3.16 (bnc#800320) CVE-2013-0333
+ - backporting deep_munge
+ - removing [nil] from the params
+ - Do not mark strip_tags result as html_safe
+- this obsoletes all our patches:
+ 2-3-null_array_param.patch
+ 2-3-null_param.patch
+ 3-0-strip_tags.patch
+
+-------------------------------------------------------------------
+Thu Jan 17 11:24:55 UTC 2013 - [email protected]
+
+- update to 2.3.15: (bnc#796712, bnc#797449, bnc#797452)
+ - handle missing 'HTTP_X_FORWARDED_FOR'
+ - added test suite for RCE bug
+
+-------------------------------------------------------------------
+Fri Sep 7 18:49:10 UTC 2012 - [email protected]
+
+- added 3-0-strip_tags.patch: (bnc#775649)
+ Do not mark strip_tags result as html_safe CVE-2012-3465
+
+-------------------------------------------------------------------
+Wed Jul 18 14:57:18 UTC 2012 - [email protected]
+
+- added 2 patches to fix security issues:
+ 2-3-null_param.patch (CVE-2012-2660) (bnc#765097)
+ 2-3-null_array_param.patch (CVE-2012-2694) (bnc#766791)
+- track series file from quilt for easier handling
+
+-------------------------------------------------------------------
+Wed Aug 17 12:02:42 UTC 2011 - [email protected]
+
+- update to version 2.3.14
+ - fix fixing strip tags vulnerability (bnc#712057)
+ - fixing response splitting problem (bnc#712058)
+
+-------------------------------------------------------------------
+Mon Jun 20 16:27:43 UTC 2011 - [email protected]
+
+- update to version 2.3.12
+ - dont call destroy on a session if it doesnt respond to destroy
+ - fix session timeout handling
+
+-------------------------------------------------------------------
+Wed Feb 16 11:09:20 UTC 2011 - [email protected]
+
+- update to version 2.3.11: (bnc#668817)
+ - XSS Risk in mail_to :encode=>:javascript CVE-2011-0446
+ - CSRF Bypass Risk CVE-2011-0447
+ - Filter Problems on Case Insensitive Filesystems CVE-2011-0449
+ - Potential SQL Injection with limit() CVE-2011-0448
+
+-------------------------------------------------------------------
+Mon Jan 17 13:21:21 UTC 2011 - [email protected]
+
+- Split off doc and testsuite subpackages.
+
+-------------------------------------------------------------------
+Wed Oct 27 11:34:50 UTC 2010 - [email protected]
+
+- update to version 2.3.10
+ * Version bump.
+
+-------------------------------------------------------------------
+Sun Sep 5 11:07:19 UTC 2010 - [email protected]
+
+- update to version 2.3.9
+ * Version bump.
+
+-------------------------------------------------------------------
+Tue May 25 16:08:12 UTC 2010 - [email protected]
+
+- use rubygems_requires macro
+
+-------------------------------------------------------------------
+Tue May 25 15:07:19 UTC 2010 - [email protected]
+
+- update to version 2.3.8
+ * HTML safety: fix compatibility *without* the optional rails_xss
+ plugin.
+- additional changes from version 2.3.7
+ * HTML safety: fix compatibility with the optional rails_xss
+ plugin. [Nathan Weizenbaum, Santiago Pastorino]
+- additional changes from version 2.3.6
+ * JSON: set Base.include_root_in_json = true to include a root
+ value in the JSON: {"post": {"title": ...}}. Mirrors the Active
+ Record option. #2584 [Matthew Moore, Joe Martinez, Elad
+ Meidar, Santiago Pastorino]
+ * Ruby 1.9: ERB template encoding using a magic comment at the
+ top of the file. [Jeremy Kemper] <%# encoding: utf-8 %>
+ * Fixed that default locale templates should be used if the
+ current locale template is missing [DHH]
+ * Fixed that PrototypeHelper#update_page should return html_safe
+ [DHH]
+ * Fixed that much of DateHelper wouldn't return html_safe?
+ strings [DHH]
+ * Fixed that fragment caching should return a cache hit as
+ html_safe (or it would all just get escaped) [DHH]
+ * Introduce String#html_safe for rails_xss plugin and
+ forward-compatibility with Rails 3. [Michael Koziarski,
+ Santiago Pastorino, José Ignacio Costa]
+ * Added :alert, :notice, and :flash as options to
+ ActionController::Base#redirect_to that'll automatically set
+ the proper flash before the redirection [DHH].
+ * Added ActionController::Base#notice/= and
+ ActionController::Base#alert/= as a convenience accessors in
+ both the controller and the view for flash[:notice]/= and
+ flash[:alert]/= [DHH]
+ * Added cookies.permanent, cookies.signed, and
+ cookies.permanent.signed accessor for common cookie actions
+ [DHH].
+- removed actionpack-2.3.5_button_to.patch:
+ included in update
+
+-------------------------------------------------------------------
+Thu Feb 18 14:09:24 UTC 2010 - [email protected]
+
+- add a patch to fix (bnc#581792):
+
https://rails.lighthouseapp.com/projects/8994/tickets/3448-button_to-does-not-return-an-html-safe-string
+
+-------------------------------------------------------------------
+Fri Jan 15 14:21:37 UTC 2010 - [email protected]
+
+- fix requires on rack. gem spec and code disagree with each other.
+
+-------------------------------------------------------------------
+Tue Dec 1 18:19:07 UTC 2009 - [email protected]
+
+- update to version 2.3.5
+ - Minor Bug Fixes and deprecation warnings
+ - Ruby 1.9 Support
+ - Fix filtering parameters when there are Fixnum or other
+ un-dupable values.
+ - Improvements to ActionView::TestCase
+ - Compatiblity with the rails_xss plugin
+- removed
actionpack-2.3.4_number_to_human_size_fix_eb30c695444b904d7937c8c12c59da9a8c4d60e5.patch:
+ included in update
+
+-------------------------------------------------------------------
+Fri Nov 20 13:53:22 UTC 2009 - [email protected]
+
+- added
actionpack-2.3.4_number_to_human_size_fix_eb30c695444b904d7937c8c12c59da9a8c4d60e5.patch
+ fix number_to_human_size (bnc#545720)
+
+-------------------------------------------------------------------
+Thu Sep 10 12:03:08 UTC 2009 - [email protected]
+
+- update to version 2.3.4
+
+-------------------------------------------------------------------
+Fri Jun 5 16:58:30 CEST 2009 - [email protected]
+
+- add rails-2.3.2_http_auth_digest_nil_check.patch:
+ do not allow authentication with a missing password (bnc#509914)
+
+-------------------------------------------------------------------
+Mon Mar 16 20:34:36 CET 2009 - [email protected]
+
+- starting package for the rails 2.3 series
+
+-------------------------------------------------------------------
New:
----
CVE-2013-6415.patch
actionpack-2.3.17.gem
bug-809935_2-3-css_sanitize.patch
bug-809940_2-3-sanitize_protocol.patch
rubygem-actionpack-2_3.changes
rubygem-actionpack-2_3.spec
series
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionpack-2_3.spec ++++++
#
# spec file for package rubygem-actionpack-2_3
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: rubygem-actionpack-2_3
Version: 2.3.17
Release: 0
%define mod_name actionpack
%define mod_full_name %{mod_name}-%{version}
#
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: rubygems_with_buildroot_patch
%rubygems_requires
Provides: rubygem-%{mod_name} = %{version}-%{release}
#
# activesupport = 2.3.15
BuildRequires: rubygem-activesupport-2_3 = %{version}
Requires: rubygem-activesupport-2_3 = %{version}
# rack ~> 1.1.0
BuildRequires: rubygem-rack-1_1 >= 1.1.3
Requires: rubygem-rack-1_1 >= 1.1.3
#
Url: http://rubyforge.org/projects/actionpack
Source: %{mod_full_name}.gem
Source1: bug-809935_2-3-css_sanitize.patch
Source2: bug-809940_2-3-sanitize_protocol.patch
Source3: CVE-2013-6415.patch
Source99: series
#
Summary: Web-flow and rendering framework putting the VC in MVC
License: MIT
Group: Development/Languages/Ruby
%description
Eases web-request routing, handling, and response as a half-way front, half-way
page controller. Implemented with specific emphasis on enabling easy
unit/integration testing that doesn't require a browser.
%package doc
Summary: RDoc documentation for %{mod_name}
Group: Development/Languages/Ruby
Requires: %{name} = %{version}
%description doc
Documentation generated at gem installation time.
Usually in RDoc and RI formats.
%package testsuite
Summary: Test suite for %{mod_name}
Group: Development/Languages/Ruby
Requires: %{name} = %{version}
%description testsuite
Test::Unit or RSpec files, useful for developers.
%prep
%build
%install
%gem_install %{S:0}
pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version}
patch -p2 < %{S:1}
patch -p2 < %{S:2}
patch -p2 < %{S:3}
popd
find %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version}/
-name \*\~ -print -delete
%clean
%{__rm} -rf %{buildroot}
%files
%defattr(-,root,root,-)
%{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem
%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/
%exclude %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test
%{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec
%files doc
%defattr(-,root,root,-)
%doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/
%files testsuite
%defattr(-,root,root,-)
%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test
%changelog
++++++ CVE-2013-6415.patch ++++++
diff --git a/actionpack/lib/action_view/helpers/number_helper.rb
b/actionpack/lib/action_view/helpers/number_helper.rb
index ad86d13..eee9e59 100644
--- a/actionpack/lib/action_view/helpers/number_helper.rb
+++ b/actionpack/lib/action_view/helpers/number_helper.rb
@@ -85,11 +85,11 @@
separator = '' if precision == 0
begin
- format.gsub(/%n/, number_with_precision(number,
+ format.gsub(/%n/, ERB::Util.html_escape(number_with_precision(number,
:precision => precision,
:delimiter => delimiter,
- :separator => separator)
- ).gsub(/%u/, unit).html_safe
+ :separator => separator))
+ ).gsub(/%u/, ERB::Util.html_escape(unit)).html_safe
rescue
number
end
++++++ bug-809935_2-3-css_sanitize.patch ++++++
diff --git
a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index ae20f99..a05ea0b 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -106,8 +106,8 @@ module HTML
style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
# gauntlet
- if style !~
/^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
+ if style !~
/\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
+ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
return ''
end
@@ -117,8 +117,8 @@ module HTML
clean << prop + ': ' + val + ';'
elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
unless val.split().any? do |keyword|
- !allowed_css_keywords.include?(keyword) &&
- keyword !~
/^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
+ !allowed_css_keywords.include?(keyword) &&
+ keyword !~
/\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
end
clean << prop + ': ' + val + ';'
end
diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb
b/actionpack/test/controller/html-scanner/sanitizer_test.rb
index 9203251..561ebc5 100644
--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -249,6 +249,11 @@ class SanitizerTest < ActionController::TestCase
assert_equal '', sanitize_css(raw)
end
+ def test_should_sanitize_across_newlines
+ raw = %(\nwidth:\nexpression(alert('XSS'));\n)
+ assert_equal '', sanitize_css(raw)
+ end
+
def test_should_sanitize_img_vbscript
assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
end
--
1.8.1.1
++++++ bug-809940_2-3-sanitize_protocol.patch ++++++
diff --git
a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index a05ea0b..0fb82cb 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -62,8 +62,8 @@ module HTML
# A regular expression of the valid characters used to separate protocols
like
# the ':' in 'http://foo.com'
- self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/
-
+ self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i
+
# Specifies a Set of HTML attributes that can have URIs.
self.uri_attributes = Set.new(%w(href src cite action longdesc
xlink:href lowsrc))
@@ -166,8 +166,8 @@ module HTML
end
def contains_bad_protocols?(attr_name, value)
- uri_attributes.include?(attr_name) &&
- (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ &&
!allowed_protocols.include?(value.split(protocol_separator).first))
+ uri_attributes.include?(attr_name) &&
+ (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i &&
!allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
end
end
end
diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb
b/actionpack/test/controller/html-scanner/sanitizer_test.rb
index 561ebc5..f72f66e 100644
--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -169,6 +169,7 @@ class SanitizerTest < ActionController::TestCase
%(<IMG SRC="jav
ascript:alert('XSS');">),
%(<IMG SRC="jav
ascript:alert('XSS');">),
%(<IMG SRC="  javascript:alert('XSS');">),
+ %(<IMG SRC="javascript:alert('XSS');">),
%(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do
|img_hack, i|
define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
assert_sanitized img_hack, "<img>"
@@ -270,6 +271,19 @@ class SanitizerTest < ActionController::TestCase
assert_sanitized %{<a href=\"http://www.domain.com?var1=1&var2=2\";>my
link</a>}
end
+ def test_should_sanitize_neverending_attribute
+ assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
+ end
+
+ def test_x03a
+ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
+ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
+ assert_sanitized %(<a href="http://legit">), %(<a
href="http://legit";>)
+ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
+ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
+ assert_sanitized %(<a href="http://legit">), %(<a
href="http://legit";>)
+ end
+
protected
def assert_sanitized(input, expected = nil)
@sanitizer ||= HTML::WhiteListSanitizer.new
--
1.8.1.1
++++++ series ++++++
2-3-null_param.patch -p0
2-3-null_array_param.patch -p0
3-0-strip_tags.patch -p0
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
