Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-actionview-7.0 for
openSUSE:Factory checked in at 2023-04-21 18:47:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-actionview-7.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-actionview-7.0.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-actionview-7.0"
Fri Apr 21 18:47:43 2023 rev:8 rq:1081236 version:7.0.4.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-actionview-7.0/rubygem-actionview-7.0.changes
2023-03-08 14:52:26.710634414 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-actionview-7.0.new.1533/rubygem-actionview-7.0.changes
2023-04-21 18:47:47.700176137 +0200
@@ -1,0 +2,7 @@
+Fri Apr 21 11:21:08 UTC 2023 - Marcus Rueckert <[email protected]>
+
+- Update to version 7.0.4.3:
+
https://rubyonrails.org/2023/3/13/Rails-7-0-4-3-and-6-1-7-3-have-been-released
+
https://rubyonrails.org/2023/1/24/Rails-7-0-4-2-and-6-1-7-2-have-been-released
+
+-------------------------------------------------------------------
Old:
----
actionview-7.0.4.1.gem
New:
----
actionview-7.0.4.3.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-actionview-7.0.spec ++++++
--- /var/tmp/diff_new_pack.8eaEbW/_old 2023-04-21 18:47:48.228179197 +0200
+++ /var/tmp/diff_new_pack.8eaEbW/_new 2023-04-21 18:47:48.232179219 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-actionview-7.0
-Version: 7.0.4.1
+Version: 7.0.4.3
Release: 0
%define mod_name actionview
%define mod_full_name %{mod_name}-%{version}
++++++ actionview-7.0.4.1.gem -> actionview-7.0.4.3.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2023-01-17 19:54:56.000000000 +0100
+++ new/CHANGELOG.md 2023-03-13 19:52:51.000000000 +0100
@@ -1,3 +1,15 @@
+## Rails 7.0.4.3 (March 13, 2023) ##
+
+* Ignore certain data-* attributes in rails-ujs when element is
contenteditable
+
+ [CVE-2023-23913]
+
+
+## Rails 7.0.4.2 (January 24, 2023) ##
+
+* No changes.
+
+
## Rails 7.0.4.1 (January 17, 2023) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/action_view/gem_version.rb
new/lib/action_view/gem_version.rb
--- old/lib/action_view/gem_version.rb 2023-01-17 19:54:56.000000000 +0100
+++ new/lib/action_view/gem_version.rb 2023-03-13 19:52:51.000000000 +0100
@@ -10,7 +10,7 @@
MAJOR = 7
MINOR = 0
TINY = 4
- PRE = "1"
+ PRE = "3"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/assets/compiled/rails-ujs.js
new/lib/assets/compiled/rails-ujs.js
--- old/lib/assets/compiled/rails-ujs.js 2023-01-17 19:54:56.000000000
+0100
+++ new/lib/assets/compiled/rails-ujs.js 2023-03-13 19:52:51.000000000
+0100
@@ -73,6 +73,22 @@
return element[expando][key] = value;
};
+ Rails.isContentEditable = function(element) {
+ var isEditable;
+ isEditable = false;
+ while (true) {
+ if (element.isContentEditable) {
+ isEditable = true;
+ break;
+ }
+ element = element.parentElement;
+ if (!element) {
+ break;
+ }
+ }
+ return isEditable;
+ };
+
Rails.$ = function(selector) {
return Array.prototype.slice.call(document.querySelectorAll(selector));
};
@@ -395,9 +411,9 @@
}).call(this);
(function() {
- var disableFormElement, disableFormElements, disableLinkElement,
enableFormElement, enableFormElements, enableLinkElement, formElements,
getData, isXhrRedirect, matches, setData, stopEverything;
+ var disableFormElement, disableFormElements, disableLinkElement,
enableFormElement, enableFormElements, enableLinkElement, formElements,
getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
- matches = Rails.matches, getData = Rails.getData, setData =
Rails.setData, stopEverything = Rails.stopEverything, formElements =
Rails.formElements;
+ matches = Rails.matches, getData = Rails.getData, setData =
Rails.setData, stopEverything = Rails.stopEverything, formElements =
Rails.formElements, isContentEditable = Rails.isContentEditable;
Rails.handleDisabledElement = function(e) {
var element;
@@ -417,6 +433,9 @@
} else {
element = e;
}
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return enableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) ||
matches(element, Rails.formEnableSelector)) {
@@ -429,6 +448,9 @@
Rails.disableElement = function(e) {
var element;
element = e instanceof Event ? e.target : e;
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return disableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) ||
matches(element, Rails.formDisableSelector)) {
@@ -513,10 +535,12 @@
}).call(this);
(function() {
- var stopEverything;
+ var isContentEditable, stopEverything;
stopEverything = Rails.stopEverything;
+ isContentEditable = Rails.isContentEditable;
+
Rails.handleMethod = function(e) {
var csrfParam, csrfToken, form, formContent, href, link, method;
link = this;
@@ -524,6 +548,9 @@
if (!method) {
return;
}
+ if (isContentEditable(this)) {
+ return;
+ }
href = Rails.href(link);
csrfToken = Rails.csrfToken();
csrfParam = Rails.csrfParam();
@@ -545,10 +572,10 @@
}).call(this);
(function() {
- var ajax, fire, getData, isCrossDomain, isRemote, matches,
serializeElement, setData, stopEverything,
+ var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote,
matches, serializeElement, setData, stopEverything,
slice = [].slice;
- matches = Rails.matches, getData = Rails.getData, setData =
Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax =
Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement =
Rails.serializeElement;
+ matches = Rails.matches, getData = Rails.getData, setData =
Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax =
Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement =
Rails.serializeElement, isContentEditable = Rails.isContentEditable;
isRemote = function(element) {
var value;
@@ -566,6 +593,10 @@
fire(element, 'ajax:stopped');
return false;
}
+ if (isContentEditable(element)) {
+ fire(element, 'ajax:stopped');
+ return false;
+ }
withCredentials = element.getAttribute('data-with-credentials');
dataType = element.getAttribute('data-type') || 'script';
if (matches(element, Rails.formSubmitSelector)) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2023-01-17 19:54:56.000000000 +0100
+++ new/metadata 2023-03-13 19:52:51.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: actionview
version: !ruby/object:Gem::Version
- version: 7.0.4.1
+ version: 7.0.4.3
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2023-01-17 00:00:00.000000000 Z
+date: 2023-03-13 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,14 +16,14 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4.1
+ version: 7.0.4.3
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4.1
+ version: 7.0.4.3
- !ruby/object:Gem::Dependency
name: builder
requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4.1
+ version: 7.0.4.3
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4.1
+ version: 7.0.4.3
- !ruby/object:Gem::Dependency
name: activemodel
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4.1
+ version: 7.0.4.3
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.4.1
+ version: 7.0.4.3
description: Simple, battle-tested conventions and helpers for building web
pages.
email: [email protected]
executables: []
@@ -246,10 +246,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v7.0.4.1/actionview/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v7.0.4.1/
+ changelog_uri:
https://github.com/rails/rails/blob/v7.0.4.3/actionview/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v7.0.4.3/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v7.0.4.1/actionview
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.4.3/actionview
rubygems_mfa_required: 'true'
post_install_message:
rdoc_options: []
