Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-activesupport-7.0 for
openSUSE:Factory checked in at 2022-04-30 22:52:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activesupport-7.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activesupport-7.0.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activesupport-7.0"
Sat Apr 30 22:52:22 2022 rev:3 rq:974043 version:7.0.2.4
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activesupport-7.0/rubygem-activesupport-7.0.changes
2022-03-11 11:35:13.434193912 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-activesupport-7.0.new.1538/rubygem-activesupport-7.0.changes
2022-04-30 22:52:30.792222253 +0200
@@ -1,0 +2,16 @@
+Thu Apr 28 05:16:26 UTC 2022 - Stephan Kulow <[email protected]>
+
+updated to version 7.0.2.4
+ see installed CHANGELOG.md
+
+ ## Rails 7.0.2.4 (April 26, 2022) ##
+
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+
+ Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
+ in names of tags and names of attributes, following the specification of
XML.
+
+ *??lvaro Mart??n Fraguas*
+
+
+-------------------------------------------------------------------
Old:
----
activesupport-7.0.2.3.gem
New:
----
activesupport-7.0.2.4.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activesupport-7.0.spec ++++++
--- /var/tmp/diff_new_pack.tQF8s4/_old 2022-04-30 22:52:31.396223070 +0200
+++ /var/tmp/diff_new_pack.tQF8s4/_new 2022-04-30 22:52:31.400223076 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-activesupport-7.0
-Version: 7.0.2.3
+Version: 7.0.2.4
Release: 0
%define mod_name activesupport
%define mod_full_name %{mod_name}-%{version}
++++++ activesupport-7.0.2.3.gem -> activesupport-7.0.2.4.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-03-08 18:50:03.000000000 +0100
+++ new/CHANGELOG.md 2022-04-26 21:32:32.000000000 +0200
@@ -1,3 +1,12 @@
+## Rails 7.0.2.4 (April 26, 2022) ##
+
+* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+
+ Add the method `ERB::Util.xml_name_escape` to escape dangerous characters
+ in names of tags and names of attributes, following the specification of
XML.
+
+ *??lvaro Mart??n Fraguas*
+
## Rails 7.0.2.3 (March 08, 2022) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/core_ext/string/output_safety.rb
new/lib/active_support/core_ext/string/output_safety.rb
--- old/lib/active_support/core_ext/string/output_safety.rb 2022-03-08
18:50:03.000000000 +0100
+++ new/lib/active_support/core_ext/string/output_safety.rb 2022-04-26
21:32:32.000000000 +0200
@@ -11,6 +11,14 @@
HTML_ESCAPE_ONCE_REGEXP =
/["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
+ # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
+ TAG_NAME_START_REGEXP_SET =
":A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}"
\
+
"\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}"
\
+ "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
+ TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
+ TAG_NAME_FOLLOWING_REGEXP =
/[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
+ TAG_NAME_REPLACEMENT_CHAR = "_"
+
# A utility method for escaping HTML tag characters.
# This method is also aliased as <tt>h</tt>.
#
@@ -115,6 +123,26 @@
end
module_function :json_escape
+
+ # A utility method for escaping XML names of tags and names of attributes.
+ #
+ # xml_name_escape('1 < 2 & 3')
+ # # => "1___2___3"
+ #
+ # It follows the requirements of the specification:
https://www.w3.org/TR/REC-xml/#NT-Name
+ def xml_name_escape(name)
+ name = name.to_s
+ return "" if name.blank?
+
+ starting_char = name[0].gsub(TAG_NAME_START_REGEXP,
TAG_NAME_REPLACEMENT_CHAR)
+
+ return starting_char if name.size == 1
+
+ following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP,
TAG_NAME_REPLACEMENT_CHAR)
+
+ starting_char + following_chars
+ end
+ module_function :xml_name_escape
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_support/gem_version.rb
new/lib/active_support/gem_version.rb
--- old/lib/active_support/gem_version.rb 2022-03-08 18:50:03.000000000
+0100
+++ new/lib/active_support/gem_version.rb 2022-04-26 21:32:32.000000000
+0200
@@ -10,7 +10,7 @@
MAJOR = 7
MINOR = 0
TINY = 2
- PRE = "3"
+ PRE = "4"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-03-08 18:50:03.000000000 +0100
+++ new/metadata 2022-04-26 21:32:32.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: activesupport
version: !ruby/object:Gem::Version
- version: 7.0.2.3
+ version: 7.0.2.4
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2022-03-08 00:00:00.000000000 Z
+date: 2022-04-26 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: i18n
@@ -359,10 +359,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v7.0.2.3/activesupport/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v7.0.2.3/
+ changelog_uri:
https://github.com/rails/rails/blob/v7.0.2.4/activesupport/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/activesupport
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/activesupport
rubygems_mfa_required: 'true'
post_install_message:
rdoc_options:
