Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-loofah for openSUSE:Factory
checked in at 2023-03-08 14:52:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-loofah (Old)
and /work/SRC/openSUSE:Factory/.rubygem-loofah.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-loofah"
Wed Mar 8 14:52:23 2023 rev:25 rq:1069966 version:2.19.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-loofah/rubygem-loofah.changes
2022-10-12 18:27:06.966010097 +0200
+++ /work/SRC/openSUSE:Factory/.rubygem-loofah.new.31432/rubygem-loofah.changes
2023-03-08 14:52:27.542638945 +0100
@@ -1,0 +2,13 @@
+Mon Mar 6 14:42:39 UTC 2023 - Paolo Perego <paolo.per...@suse.com>
+
+- udpated to version 2.19.1
+
+ ## 2.19.1 / 2022-12-13
+
+ ### SecurityAddress
+ * Address CVE-2022-23514, inefficient regular expression complexity. See
GHSA-486f-hjj9-9vhh for more information.
+ * Address CVE-2022-23515, improper neutralization of data URIs. See
GHSA-228g-948r-83gx for more information.
+ * Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm
for more information.
+
+
+-------------------------------------------------------------------
@@ -405 +417,0 @@
-
Old:
----
loofah-2.19.0.gem
New:
----
loofah-2.19.1.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-loofah.spec ++++++
--- /var/tmp/diff_new_pack.Qbptab/_old 2023-03-08 14:52:28.034641624 +0100
+++ /var/tmp/diff_new_pack.Qbptab/_new 2023-03-08 14:52:28.042641668 +0100
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-loofah
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-loofah
-Version: 2.19.0
+Version: 2.19.1
Release: 0
%define mod_name loofah
%define mod_full_name %{mod_name}-%{version}
++++++ loofah-2.19.0.gem -> loofah-2.19.1.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-09-14 15:37:45.000000000 +0200
+++ new/CHANGELOG.md 2022-12-12 23:22:47.000000000 +0100
@@ -1,5 +1,14 @@
# Changelog
+## 2.19.1 / 2022-12-13
+
+### Security
+
+* Address CVE-2022-23514, inefficient regular expression complexity. See
[GHSA-486f-hjj9-9vhh](https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh)
for more information.
+* Address CVE-2022-23515, improper neutralization of data URIs. See
[GHSA-228g-948r-83gx](https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx)
for more information.
+* Address CVE-2022-23516, uncontrolled recursion. See
[GHSA-3x8r-x6xp-q4vm](https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm)
for more information.
+
+
## 2.19.0 / 2022-09-14
### Features
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/loofah/html5/safelist.rb
new/lib/loofah/html5/safelist.rb
--- old/lib/loofah/html5/safelist.rb 2022-09-14 15:37:45.000000000 +0200
+++ new/lib/loofah/html5/safelist.rb 2022-12-12 23:22:47.000000000 +0100
@@ -999,7 +999,6 @@
"image/gif",
"image/jpeg",
"image/png",
- "image/svg+xml",
"text/css",
"text/plain",
])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/loofah/html5/scrub.rb
new/lib/loofah/html5/scrub.rb
--- old/lib/loofah/html5/scrub.rb 2022-09-14 15:37:45.000000000 +0200
+++ new/lib/loofah/html5/scrub.rb 2022-12-12 23:22:47.000000000 +0100
@@ -36,24 +36,13 @@
end
if SafeList::ATTR_VAL_IS_URI.include?(attr_name)
- # this block lifted nearly verbatim from HTML5 sanitization
- val_unescaped =
CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS, "").downcase
- if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ &&
!SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0])
- attr_node.remove
- next
- elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] ==
"data"
- # permit only allowed data mediatypes
- mediatype =
val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[1]
- mediatype, _ = mediatype.split(";")[0..1] if mediatype
- if mediatype &&
!SafeList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
- attr_node.remove
- next
- end
- end
+ next if scrub_uri_attribute(attr_node)
end
+
if SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
- attr_node.value =
attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, " ") if attr_node.value
+ scrub_attribute_that_allows_local_ref(attr_node)
end
+
if SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name
== "xlink:href" && attr_node.value =~ /^\s*[^#\s].*/m
attr_node.remove
next
@@ -127,6 +116,47 @@
Crass::Parser.stringify(sanitized_tree)
end
+ def scrub_attribute_that_allows_local_ref(attr_node)
+ return unless attr_node.value
+
+ nodes = Crass::Parser.new(attr_node.value).parse_component_values
+
+ values = nodes.map do |node|
+ case node[:node]
+ when :url
+ if node[:value].start_with?("#")
+ node[:raw]
+ else
+ nil
+ end
+ when :hash, :ident, :string
+ node[:raw]
+ else
+ nil
+ end
+ end.compact
+
+ attr_node.value = values.join(" ")
+ end
+
+ def scrub_uri_attribute(attr_node)
+ # this block lifted nearly verbatim from HTML5 sanitization
+ val_unescaped =
CGI.unescapeHTML(attr_node.value).gsub(CONTROL_CHARACTERS, "").downcase
+ if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ &&
!SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0])
+ attr_node.remove
+ return true
+ elsif val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[0] == "data"
+ # permit only allowed data mediatypes
+ mediatype = val_unescaped.split(SafeList::PROTOCOL_SEPARATOR)[1]
+ mediatype, _ = mediatype.split(";")[0..1] if mediatype
+ if mediatype &&
!SafeList::ALLOWED_URI_DATA_MEDIATYPES.include?(mediatype)
+ attr_node.remove
+ return true
+ end
+ end
+ false
+ end
+
#
# libxml2 >= 2.9.2 fails to escape comments within some attributes.
#
@@ -152,6 +182,46 @@
end.force_encoding(encoding)
end
end
+
+ def cdata_needs_escaping?(node)
+ # Nokogiri's HTML4 parser on JRuby doesn't flag the child of a
`style` or `script` tag as cdata, but it acts that way
+ node.cdata? || (Nokogiri.jruby? && node.text? && (node.parent.name
== "style" || node.parent.name == "script"))
+ end
+
+ def cdata_escape(node)
+ escaped_text = escape_tags(node.text)
+ if Nokogiri.jruby?
+ node.document.create_text_node(escaped_text)
+ else
+ node.document.create_cdata(escaped_text)
+ end
+ end
+
+ TABLE_FOR_ESCAPE_HTML__ = {
+ '<' => '<',
+ '>' => '>',
+ '&' => '&',
+ }
+
+ def escape_tags(string)
+ # modified version of CGI.escapeHTML from ruby 3.1
+ enc = string.encoding
+ unless enc.ascii_compatible?
+ if enc.dummy?
+ origenc = enc
+ enc = Encoding::Converter.asciicompat_encoding(enc)
+ string = enc ? string.encode(enc) : string.b
+ end
+ table = Hash[TABLE_FOR_ESCAPE_HTML__.map {|pair|pair.map
{|s|s.encode(enc)}}]
+ string = string.gsub(/#{"[<>&]".encode(enc)}/, table)
+ string.encode!(origenc) if origenc
+ string
+ else
+ string = string.b
+ string.gsub!(/[<>&]/, TABLE_FOR_ESCAPE_HTML__)
+ string.force_encoding(enc)
+ end
+ end
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/loofah/scrubber.rb new/lib/loofah/scrubber.rb
--- old/lib/loofah/scrubber.rb 2022-09-14 15:37:45.000000000 +0200
+++ new/lib/loofah/scrubber.rb 2022-12-12 23:22:47.000000000 +0100
@@ -108,6 +108,10 @@
return Scrubber::CONTINUE
end
when Nokogiri::XML::Node::TEXT_NODE,
Nokogiri::XML::Node::CDATA_SECTION_NODE
+ if HTML5::Scrub.cdata_needs_escaping?(node)
+ node.before(HTML5::Scrub.cdata_escape(node))
+ return Scrubber::STOP
+ end
return Scrubber::CONTINUE
end
Scrubber::STOP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/loofah/scrubbers.rb new/lib/loofah/scrubbers.rb
--- old/lib/loofah/scrubbers.rb 2022-09-14 15:37:45.000000000 +0200
+++ new/lib/loofah/scrubbers.rb 2022-12-12 23:22:47.000000000 +0100
@@ -100,13 +100,9 @@
def scrub(node)
return CONTINUE if html5lib_sanitize(node) == CONTINUE
- if node.children.length == 1 && node.children.first.cdata?
- sanitized_text =
Loofah.fragment(node.children.first.to_html).scrub!(:strip).to_html
- node.before Nokogiri::XML::Text.new(sanitized_text, node.document)
- else
- node.before node.children
- end
+ node.before(node.children)
node.remove
+ return STOP
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/loofah/version.rb new/lib/loofah/version.rb
--- old/lib/loofah/version.rb 2022-09-14 15:37:45.000000000 +0200
+++ new/lib/loofah/version.rb 2022-12-12 23:22:47.000000000 +0100
@@ -1,5 +1,5 @@
# frozen_string_literal: true
module Loofah
# The version of Loofah you are using
- VERSION = "2.19.0"
+ VERSION = "2.19.1"
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-09-14 15:37:45.000000000 +0200
+++ new/metadata 2022-12-12 23:22:47.000000000 +0100
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: loofah
version: !ruby/object:Gem::Version
- version: 2.19.0
+ version: 2.19.1
platform: ruby
authors:
- Mike Dalessio
@@ -9,7 +9,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2022-09-14 00:00:00.000000000 Z
+date: 2022-12-12 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: crass
