Hello community, here is the log from the commit of package rubygem-RedCloth for openSUSE:Factory checked in at 2016-05-29 03:12:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-RedCloth (Old) and /work/SRC/openSUSE:Factory/.rubygem-RedCloth.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-RedCloth" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-RedCloth/rubygem-RedCloth.changes 2016-04-12 19:32:39.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-RedCloth.new/rubygem-RedCloth.changes 2016-05-29 03:13:48.000000000 +0200 @@ -1,0 +2,31 @@ +Thu May 26 04:28:21 UTC 2016 - [email protected] + +- updated to version 4.3.2 + see installed CHANGELOG + + == 4.3.2 / May 23rd, 2016 + + * Fix additional case for CVE-2012-6684 [Joshua Siler] + + == 4.3.1 / May 17th, 2016 + + * Fix additional case for CVE-2012-6684 [Joshua Siler] + + == 4.3.0 / April 29th, 2016 + + * Remove JRuby and Windows cross compilation and support + * Add Ruby 2.2.3 testing and support + + * include CVE-2012-6684 fix [Tomas Pospisek] + * fix by [Antonio Terceiro] + * see http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/ + * vulnerability reported by [Kousuke Ebihara] + * see http://co3k.org/blog/redcloth-unfixed-xss-en + + == 4.2.9.1 / February 24, 2015 + + * Lazy-load latex_entities.yml [Charlie Somerville] + +- obsoletes 0001-Filter-out-javascript-links-when-using-filter_html-o.patch + +------------------------------------------------------------------- Old: ---- 0001-Filter-out-javascript-links-when-using-filter_html-o.patch RedCloth-4.2.9.gem New: ---- RedCloth-4.3.2.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-RedCloth.spec ++++++ --- /var/tmp/diff_new_pack.Iyt4eU/_old 2016-05-29 03:13:49.000000000 +0200 +++ /var/tmp/diff_new_pack.Iyt4eU/_new 2016-05-29 03:13:49.000000000 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-RedCloth -Version: 4.2.9 +Version: 4.3.2 Release: 0 %define mod_name RedCloth %define mod_full_name %{mod_name}-%{version} @@ -39,9 +39,6 @@ Source1: rubygem-RedCloth-rpmlintrc Source2: series Source3: gem2rpm.yml -# MANUAL -Patch0: 0001-Filter-out-javascript-links-when-using-filter_html-o.patch -# /MANUAL Summary: Textile parser for Ruby License: MIT Group: Development/Languages/Ruby @@ -51,10 +48,6 @@ Textile parser for Ruby. %prep -%gem_unpack -%patch0 -p1 -find -type f -print0 | xargs -0 touch -r %{S:0} -%gem_build %build ++++++ RedCloth-4.2.9.gem -> RedCloth-4.3.2.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG new/CHANGELOG --- old/CHANGELOG 1970-01-01 01:00:00.000000000 +0100 +++ new/CHANGELOG 2016-05-24 02:29:39.000000000 +0200 @@ -1,3 +1,26 @@ +== 4.3.2 / May 23rd, 2016 + +* Fix additional case for CVE-2012-6684 [Joshua Siler] + +== 4.3.1 / May 17th, 2016 + +* Fix additional case for CVE-2012-6684 [Joshua Siler] + +== 4.3.0 / April 29th, 2016 + +* Remove JRuby and Windows cross compilation and support +* Add Ruby 2.2.3 testing and support + +* include CVE-2012-6684 fix [Tomas Pospisek] + * fix by [Antonio Terceiro] + * see http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/ + * vulnerability reported by [Kousuke Ebihara] + * see http://co3k.org/blog/redcloth-unfixed-xss-en + +== 4.2.9.1 / February 24, 2015 + +* Lazy-load latex_entities.yml [Charlie Somerville] + == 4.2.9 / November 25, 2011 * Fix RbConfig / Config warning in Ruby 1.9.3. [Steve Purcell, Robert Gleeson, and unclaimedbaggage] @@ -82,7 +105,7 @@ * Accept multiline content in table cells. [Jason Garber] * Change to list attributes so you can give style/class to list items (taken from PyTextile). Breaks backwards compatibility. - + Before, the style applied to the first list item applied to the entire list. Now, class/id/style placed before the list applies to the list element and after the hash or asterisk applies to the list item. For example: @@ -163,7 +186,7 @@ To compile the jruby version of the gem: jruby -S rake compile * Added textilize ERB utility method. [edraut] - Use it in an ERB template like this: <%=t my_textile_string %> or + Use it in an ERB template like this: <%=t my_textile_string %> or <%=r %{Some *textile* if you please!} %> * Fix extended blockcode stripping whitespace following blank line. #78 @@ -258,4 +281,4 @@ * Over 500 tests prevent regression -* It's 40 times faster than the previous version. \ No newline at end of file +* It's 40 times faster than the previous version. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Gemfile new/Gemfile --- old/Gemfile 1970-01-01 01:00:00.000000000 +0100 +++ new/Gemfile 2016-05-24 02:29:39.000000000 +0200 @@ -1,7 +1,7 @@ -source :rubygems +source 'https://rubygems.org' gemspec group :compilation do - gem 'rvm', '~> 1.2.6' + gem 'rvm', '~> 1.11.3.9' gem 'rake-compiler', '~> 0.7.1' -end \ No newline at end of file +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.rdoc new/README.rdoc --- old/README.rdoc 1970-01-01 01:00:00.000000000 +0100 +++ new/README.rdoc 2016-05-24 02:29:39.000000000 +0200 @@ -1,59 +1,49 @@ = RedCloth - Textile parser for Ruby Homepage:: http://redcloth.org +Maintainer:: Joshua Siler https://github.com/joshuasiler Author:: Jason Garber Copyright:: (c) 2011 Jason Garber License:: MIT +{<img src="https://travis-ci.org/jgarber/redcloth.svg"; />}[https://travis-ci.org/jgarber/redcloth] {<img src="https://codeclimate.com/github/jgarber/redcloth/badges/gpa.svg"; />}[https://codeclimate.com/github/jgarber/redcloth] + (See http://redcloth.org/textile/ for a Textile reference.) = RedCloth RedCloth is a Ruby library for converting Textile into HTML. +== Attention - Deprecating JRuby and Windows support in version 4.3 + +In order to prioritize merging a fix for the long standing vulnerability *CVE-2012-6684*, our {new maintainer}[https://github.com/joshuasiler] has elected to stop maintaining the precompiled versions for Windows and JRuby. + == Installing RedCloth can be installed via RubyGems: gem install RedCloth -It will install the appropriate Ruby, JRuby, or Win32 gem. If using JRuby, -version 1.1.5 or greater is required. - == Compiling If you just want to use RedCloth, you do NOT need to build/compile it. It is compiled from C sources automatically when you install the gem on the ruby -platform. Precompiled binary gems are provided for JRuby and Win32 platforms. +platform. Precompiled binary gems are provided for JRuby and Win32 platforms prior to version 4.3. RedCloth can be compiled with <tt>rake compile</tt>. Ragel 6.3 or greater is required. Again, Ragel is NOT needed to simply use RedCloth. === Supported platforms -By default, the rake compile task builds a native C extension (MRI 1.8 or 1.9) -or Java extension (JRuby 1.3). A pure Ruby version can also be generated, but -it's super slow and Ruby 1.8-only. The JRuby and pure-Ruby extensions don't -support multi-byte characters. Cross-compiling for win32 uses rake-compiler. +By default, the rake compile task builds a native C extension (MRI 1.8 or 1.9). A pure Ruby version can also be generated, but it's super slow and Ruby 1.8-only, and doesn't +support multi-byte characters. The RedCloth::EXTENSION_LANGUAGE constant indicates in which language your copy of RedCloth is compiled. -=== Compiling gems - -To compile MRI, JRuby, and win32 gems, you need rvm and rake-compiler. These -and other dependencies can be installed with bundler. Then rake build:all -takes care of compiling and packaging all gems. - - 1. gem install bundler - 2. bundle install - 3. rake-compiler cross-ruby VERSION=1.8.6-p398 - 4. rake-compiler cross-ruby VERSION=1.9.1-p243 - 5. rake build:all - == Bugs -Please submit bugs to http://jgarber.lighthouseapp.com/projects/13054-redcloth/overview +Please submit bugs as issues to this repo. == Using RedCloth @@ -69,7 +59,7 @@ doc = RedCloth.new <<EOD h2. Test document - + Just a simple test. EOD puts doc.to_html @@ -122,11 +112,11 @@ == Links -To make a hypertext link, put the link text in "quotation +To make a hypertext link, put the link text in "quotation marks" followed immediately by a colon and the URL of the link. -Optional: text in (parentheses) following the link text, -but before the closing quotation mark, will become a title +Optional: text in (parentheses) following the link text, +but before the closing quotation mark, will become a title attribute for the link, visible as a tool tip when a cursor is above it. Example: @@ -141,12 +131,12 @@ To insert an image, put the URL for the image inside exclamation marks. -Optional: text that immediately follows the URL in (parentheses) will -be used as the Alt text for the image. Images on the web should always -have descriptive Alt text for the benefit of readers using non-graphical +Optional: text that immediately follows the URL in (parentheses) will +be used as the Alt text for the image. Images on the web should always +have descriptive Alt text for the benefit of readers using non-graphical browsers. -Optional: place a colon followed by a URL immediately after the +Optional: place a colon followed by a URL immediately after the closing ! to make the image into a link. Example: @@ -167,11 +157,11 @@ == Defining Acronyms -HTML allows authors to define acronyms via the tag. The definition appears as a -tool tip when a cursor hovers over the acronym. A crucial aid to clear writing, +HTML allows authors to define acronyms via the tag. The definition appears as a +tool tip when a cursor hovers over the acronym. A crucial aid to clear writing, this should be used at least once for each acronym in documents where they appear. -To quickly define an acronym in Textile, place the full text in (parentheses) +To quickly define an acronym in Textile, place the full text in (parentheses) immediately following the acronym. Example: @@ -194,5 +184,3 @@ table{border:1px solid black}. {background:#ddd;color:red}. |a|red|row| - - Files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/redcloth/formatters/html.rb new/lib/redcloth/formatters/html.rb --- old/lib/redcloth/formatters/html.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/lib/redcloth/formatters/html.rb 2016-05-24 02:29:39.000000000 +0200 @@ -111,15 +111,23 @@ end def link(opts) - "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" + if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/i + opts[:name] + else + "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" + end end def image(opts) - opts.delete(:align) - opts[:alt] = opts[:title] - img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />" - img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if opts[:href] - img + if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/i || opts[:href] =~ /^\s*javascript:/i ) + opts[:title] + else + opts.delete(:align) + opts[:alt] = opts[:title] + img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />" + img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if opts[:href] + img + end end def footno(opts) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/redcloth/formatters/latex.rb new/lib/redcloth/formatters/latex.rb --- old/lib/redcloth/formatters/latex.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/lib/redcloth/formatters/latex.rb 2016-05-24 02:29:39.000000000 +0200 @@ -3,7 +3,9 @@ module RedCloth::Formatters::LATEX include RedCloth::Formatters::Base - ENTITIES = YAML::load(File.read(File.dirname(__FILE__)+'/latex_entities.yml')) + def self.entities + @entities ||= YAML.load(File.read(File.dirname(__FILE__)+'/latex_entities.yml')) + end module Settings # Maps CSS style names to latex formatting options @@ -275,8 +277,8 @@ # TODO: what do we do with (unknown) unicode entities ? # def entity(opts) - text = opts[:text][0..0] == '#' ? opts[:text][1..-1] : opts[:text] - ENTITIES[text] + text = opts[:text][0..0] == '#' ? opts[:text][1..-1] : opts[:text] + RedCloth::Formatters::LATEX.entities[text] end def dim(opts) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/redcloth/version.rb new/lib/redcloth/version.rb --- old/lib/redcloth/version.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/lib/redcloth/version.rb 2016-05-24 02:29:39.000000000 +0200 @@ -1,13 +1,13 @@ module RedCloth module VERSION MAJOR = 4 - MINOR = 2 - TINY = 9 - RELEASE_CANDIDATE = nil + MINOR = 3 + TINY = 2 +# RELEASE_CANDIDATE = 0 - STRING = [MAJOR, MINOR, TINY, RELEASE_CANDIDATE].compact.join('.') - TAG = "REL_#{[MAJOR, MINOR, TINY, RELEASE_CANDIDATE].compact.join('_')}".upcase.gsub(/\.|-/, '_') - FULL_VERSION = "#{[MAJOR, MINOR, TINY, RELEASE_CANDIDATE].compact.join('.')}" + STRING = [MAJOR, MINOR, TINY].compact.join('.') + TAG = "REL_#{[MAJOR, MINOR, TINY].compact.join('_')}".upcase.gsub(/\.|-/, '_') + FULL_VERSION = "#{[MAJOR, MINOR, TINY].compact.join('.')}" class << self def to_s Files old/lib/redcloth_scan.jar and new/lib/redcloth_scan.jar differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 1970-01-01 01:00:00.000000000 +0100 +++ new/metadata 2016-05-24 02:29:39.000000000 +0200 @@ -1,140 +1,100 @@ ---- !ruby/object:Gem::Specification +--- !ruby/object:Gem::Specification name: RedCloth -version: !ruby/object:Gem::Version - hash: 37 - prerelease: - segments: - - 4 - - 2 - - 9 - version: 4.2.9 +version: !ruby/object:Gem::Version + version: 4.3.2 platform: ruby -authors: +authors: - Jason Garber -- why the lucky stiff +- Joshua Siler - Ola Bini autorequire: bindir: bin cert_chain: [] - -date: 2011-11-27 00:00:00 Z -dependencies: -- !ruby/object:Gem::Dependency +date: 2016-05-24 00:00:00.000000000 Z +dependencies: +- !ruby/object:Gem::Dependency name: bundler - prerelease: false - requirement: &id001 !ruby/object:Gem::Requirement - none: false - requirements: - - - ~> - - !ruby/object:Gem::Version - hash: 3 - segments: - - 1 - - 0 - - 10 - version: 1.0.10 + requirement: !ruby/object:Gem::Requirement + requirements: + - - ">" + - !ruby/object:Gem::Version + version: 1.3.4 type: :development - version_requirements: *id001 -- !ruby/object:Gem::Dependency - name: rake prerelease: false - requirement: &id002 !ruby/object:Gem::Requirement - none: false - requirements: - - - ~> - - !ruby/object:Gem::Version - hash: 49 - segments: - - 0 - - 8 - - 7 - version: 0.8.7 + version_requirements: !ruby/object:Gem::Requirement + requirements: + - - ">" + - !ruby/object:Gem::Version + version: 1.3.4 +- !ruby/object:Gem::Dependency + name: rake + requirement: !ruby/object:Gem::Requirement + requirements: + - - "~>" + - !ruby/object:Gem::Version + version: 10.0.3 type: :development - version_requirements: *id002 -- !ruby/object:Gem::Dependency - name: rspec prerelease: false - requirement: &id003 !ruby/object:Gem::Requirement - none: false - requirements: - - - ~> - - !ruby/object:Gem::Version - hash: 11 - segments: - - 2 - - 4 - version: "2.4" + version_requirements: !ruby/object:Gem::Requirement + requirements: + - - "~>" + - !ruby/object:Gem::Version + version: 10.0.3 +- !ruby/object:Gem::Dependency + name: rspec + requirement: !ruby/object:Gem::Requirement + requirements: + - - "~>" + - !ruby/object:Gem::Version + version: '2.4' type: :development - version_requirements: *id003 -- !ruby/object:Gem::Dependency - name: diff-lcs prerelease: false - requirement: &id004 !ruby/object:Gem::Requirement - none: false - requirements: - - - ~> - - !ruby/object:Gem::Version - hash: 23 - segments: - - 1 - - 1 - - 2 + version_requirements: !ruby/object:Gem::Requirement + requirements: + - - "~>" + - !ruby/object:Gem::Version + version: '2.4' +- !ruby/object:Gem::Dependency + name: diff-lcs + requirement: !ruby/object:Gem::Requirement + requirements: + - - "~>" + - !ruby/object:Gem::Version version: 1.1.2 type: :development - version_requirements: *id004 -- !ruby/object:Gem::Dependency - name: rvm - prerelease: false - requirement: &id005 !ruby/object:Gem::Requirement - none: false - requirements: - - - ~> - - !ruby/object:Gem::Version - hash: 19 - segments: - - 1 - - 2 - - 6 - version: 1.2.6 - type: :development - version_requirements: *id005 -- !ruby/object:Gem::Dependency - name: rake-compiler prerelease: false - requirement: &id006 !ruby/object:Gem::Requirement - none: false - requirements: - - - ~> - - !ruby/object:Gem::Version - hash: 1 - segments: - - 0 - - 7 - - 1 - version: 0.7.1 - type: :development - version_requirements: *id006 + version_requirements: !ruby/object:Gem::Requirement + requirements: + - - "~>" + - !ruby/object:Gem::Version + version: 1.1.2 description: Textile parser for Ruby. email: [email protected] -executables: +executables: - redcloth -extensions: +extensions: - ext/redcloth_scan/extconf.rb -extra_rdoc_files: +extra_rdoc_files: - README.rdoc - COPYING - CHANGELOG -files: -- .gemtest -- .rspec +files: +- ".gemtest" +- ".rspec" - CHANGELOG - COPYING - Gemfile - README.rdoc - Rakefile -- doc/textile_reference.html - bin/redcloth +- doc/textile_reference.html +- ext/redcloth_scan/extconf.rb +- ext/redcloth_scan/redcloth.h +- ext/redcloth_scan/redcloth_attributes.c +- ext/redcloth_scan/redcloth_inline.c +- ext/redcloth_scan/redcloth_scan.c - lib/case_sensitive_require/RedCloth.rb +- lib/redcloth.rb - lib/redcloth/erb_extension.rb - lib/redcloth/formatters/base.rb - lib/redcloth/formatters/html.rb @@ -142,8 +102,6 @@ - lib/redcloth/formatters/latex_entities.yml - lib/redcloth/textile_doc.rb - lib/redcloth/version.rb -- lib/redcloth.rb -- lib/redcloth_scan.jar - lib/tasks/pureruby.rake - redcloth.gemspec - spec/benchmark_spec.rb @@ -177,89 +135,77 @@ - spec/formatters/sanitized_html_spec.rb - spec/formatters/style_filtered_html_spec.rb - spec/parser_spec.rb +- spec/security/CVE-2012-6684_spec.rb - spec/spec_helper.rb - tasks/compile.rake -- tasks/gems.rake - tasks/ragel_extension_task.rb - tasks/release.rake - tasks/rspec.rake - tasks/rvm.rake -- ext/redcloth_scan/redcloth_attributes.c -- ext/redcloth_scan/redcloth_inline.c -- ext/redcloth_scan/redcloth_scan.c -- ext/redcloth_scan/redcloth.h -- ext/redcloth_scan/extconf.rb homepage: http://redcloth.org -licenses: [] - +licenses: +- MIT +metadata: {} post_install_message: -rdoc_options: -- --charset=UTF-8 -- --line-numbers -- --inline-source -- --title +rdoc_options: +- "--charset=UTF-8" +- "--line-numbers" +- "--inline-source" +- "--title" - RedCloth -- --main +- "--main" - README.rdoc -require_paths: +require_paths: - lib - lib/case_sensitive_require - ext -required_ruby_version: !ruby/object:Gem::Requirement - none: false - requirements: +required_ruby_version: !ruby/object:Gem::Requirement + requirements: - - ">=" - - !ruby/object:Gem::Version - hash: 3 - segments: - - 0 - version: "0" -required_rubygems_version: !ruby/object:Gem::Requirement - none: false - requirements: + - !ruby/object:Gem::Version + version: '0' +required_rubygems_version: !ruby/object:Gem::Requirement + requirements: - - ">=" - - !ruby/object:Gem::Version - hash: 3 - segments: - - 0 - version: "0" + - !ruby/object:Gem::Version + version: '0' requirements: [] - rubyforge_project: redcloth -rubygems_version: 1.8.6 +rubygems_version: 2.4.8 signing_key: -specification_version: 3 -summary: RedCloth-4.2.9 -test_files: +specification_version: 4 +summary: RedCloth-4.3.2 +test_files: - spec/benchmark_spec.rb +- spec/parser_spec.rb +- spec/extension_spec.rb - spec/custom_tags_spec.rb +- spec/spec_helper.rb - spec/erb_spec.rb -- spec/extension_spec.rb -- spec/fixtures/basic.yml +- spec/fixtures/lists.yml +- spec/fixtures/links.yml - spec/fixtures/code.yml -- spec/fixtures/definitions.yml -- spec/fixtures/extra_whitespace.yml +- spec/fixtures/textism.yml +- spec/fixtures/basic.yml - spec/fixtures/filter_html.yml +- spec/fixtures/table.yml +- spec/fixtures/instiki.yml - spec/fixtures/filter_pba.yml -- spec/fixtures/html.yml +- spec/fixtures/threshold.yml - spec/fixtures/images.yml -- spec/fixtures/instiki.yml -- spec/fixtures/links.yml -- spec/fixtures/lists.yml -- spec/fixtures/poignant.yml +- spec/fixtures/definitions.yml - spec/fixtures/sanitize_html.yml -- spec/fixtures/table.yml -- spec/fixtures/textism.yml -- spec/fixtures/threshold.yml -- spec/formatters/class_filtered_html_spec.rb -- spec/formatters/filtered_html_spec.rb +- spec/fixtures/poignant.yml +- spec/fixtures/extra_whitespace.yml +- spec/fixtures/html.yml +- spec/formatters/id_filtered_html_spec.rb - spec/formatters/html_no_breaks_spec.rb - spec/formatters/html_spec.rb -- spec/formatters/id_filtered_html_spec.rb - spec/formatters/latex_spec.rb -- spec/formatters/lite_mode_html_spec.rb +- spec/formatters/style_filtered_html_spec.rb +- spec/formatters/class_filtered_html_spec.rb - spec/formatters/no_span_caps_html_spec.rb +- spec/formatters/filtered_html_spec.rb +- spec/formatters/lite_mode_html_spec.rb - spec/formatters/sanitized_html_spec.rb -- spec/formatters/style_filtered_html_spec.rb -- spec/parser_spec.rb -- spec/spec_helper.rb +- spec/security/CVE-2012-6684_spec.rb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/redcloth.gemspec new/redcloth.gemspec --- old/redcloth.gemspec 1970-01-01 01:00:00.000000000 +0100 +++ new/redcloth.gemspec 2016-05-24 02:29:39.000000000 +0200 @@ -6,7 +6,7 @@ Gem::Specification.new do |s| s.name = "RedCloth" s.version = RedCloth::VERSION.to_s - s.authors = ["Jason Garber", "why the lucky stiff", "Ola Bini"] + s.authors = ["Jason Garber", "Joshua Siler", "Ola Bini"] s.description = "Textile parser for Ruby." s.summary = RedCloth::SUMMARY s.email = "[email protected]" @@ -23,30 +23,19 @@ s.rdoc_options = ["--charset=UTF-8", "--line-numbers", "--inline-source", "--title", "RedCloth", "--main", "README.rdoc"] s.require_paths += ["lib/case_sensitive_require", "ext"] - s.files -= Dir['lib/redcloth.jar'] - s.files -= Dir['lib/**/*.dll'] s.files -= Dir['lib/**/*.bundle'] s.files -= Dir['lib/**/*.so'] + + s.platform = 'ruby' - s.platform = RUBY_PLATFORM[/java/] || 'ruby' - case s.platform.to_s - when /java/ - s.files += ['lib/redcloth_scan.jar'] - else # MRI or Rubinius - s.files += %w[attributes inline scan].map {|f| "ext/redcloth_scan/redcloth_#{f}.c"} - s.files += ["ext/redcloth_scan/redcloth.h"] - s.extensions = Dir['ext/**/extconf.rb'] - end + s.files += %w[attributes inline scan].map {|f| "ext/redcloth_scan/redcloth_#{f}.c"} + s.files += ["ext/redcloth_scan/redcloth.h"] + s.extensions = Dir['ext/**/extconf.rb'] - s.add_development_dependency('bundler', '~> 1.0.10') - s.add_development_dependency('rake', '~> 0.8.7') + s.add_development_dependency('bundler', '> 1.3.4') + s.add_development_dependency('rake', '~> 10.0.3') s.add_development_dependency('rspec', '~> 2.4') s.add_development_dependency('diff-lcs', '~> 1.1.2') - - # Have to load these even though they're only needed for - # gem packaging. Otherwise, Bundler complains that they're - # not installed even though they're not required. - # See https://github.com/carlhuda/bundler/issues/issue/1021 - s.add_development_dependency('rvm', '~> 1.2.6') - s.add_development_dependency('rake-compiler', '~> 0.7.1') -end \ No newline at end of file + + s.license = "MIT" +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spec/parser_spec.rb new/spec/parser_spec.rb --- old/spec/parser_spec.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/spec/parser_spec.rb 2016-05-24 02:29:39.000000000 +0200 @@ -6,13 +6,13 @@ it "should accept options" do lambda { RedCloth.new("test", [:hard_breaks]) - }.should_not raise_error(ArgumentError) + }.should_not raise_error end end it "should have a VERSION" do - RedCloth.const_defined?("VERSION").should be_true - RedCloth::VERSION.const_defined?("STRING").should be_true + RedCloth.const_defined?("VERSION").should be_truthy + RedCloth::VERSION.const_defined?("STRING").should be_truthy end it "should show the version as a string" do @@ -21,7 +21,7 @@ end it "should have EXTENSION_LANGUAGE" do - RedCloth.const_defined?("EXTENSION_LANGUAGE").should be_true + RedCloth.const_defined?("EXTENSION_LANGUAGE").should be_truthy RedCloth::EXTENSION_LANGUAGE.should_not be_empty RedCloth::DESCRIPTION.should include(RedCloth::EXTENSION_LANGUAGE) end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spec/security/CVE-2012-6684_spec.rb new/spec/security/CVE-2012-6684_spec.rb --- old/spec/security/CVE-2012-6684_spec.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/spec/security/CVE-2012-6684_spec.rb 2016-05-24 02:29:39.000000000 +0200 @@ -0,0 +1,33 @@ +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684 + +require 'redcloth' + +describe 'CVE-2012-6684' do + + it 'should not let javascript links pass through' do + # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en + output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html + expect(output).to_not match(/href=.javascript:alert/) + + output = RedCloth.new('["clickme":jAvascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html + expect(output).to_not match(/href=.jAvascript:alert/) + end + + it 'should not let javascript links pass through on images' do + output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"').to_html + expect(output).to match(/src=.javascript:alert/) + expect(output).to match(/href=.javascript:prompt/) + + output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html + expect(output).to_not match(/src=.javascript:alert/) + expect(output).to_not match(/href=.javascript:prompt/) + + output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"').to_html + expect(output).to match(/src=.jAvascript:alert/) + expect(output).to match(/href=.jAvascript:prompt/) + + output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html + expect(output).to_not match(/src=.jAvascript:alert/) + expect(output).to_not match(/href=.jAvascript:prompt/) + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tasks/compile.rake new/tasks/compile.rake --- old/tasks/compile.rake 1970-01-01 01:00:00.000000000 +0100 +++ new/tasks/compile.rake 2016-05-24 02:29:39.000000000 +0200 @@ -12,19 +12,16 @@ ] # Load the Gem specification for the current platform (Ruby or JRuby). -def gemspec(platform = RUBY_PLATFORM[/java/] || 'ruby') +def gemspec(platform = 'ruby') Gem::Specification.load(File.expand_path('../../redcloth.gemspec', __FILE__)) end require 'rake/extensiontask' -require 'rake/javaextensiontask' require File.dirname(__FILE__) + '/ragel_extension_task' -if defined?(JRUBY_VERSION) - Rake::JavaRagelExtensionTask.new('redcloth_scan', gemspec) -else - extconf = "ext/redcloth_scan/extconf.rb" - file extconf do + +extconf = "ext/redcloth_scan/extconf.rb" +file extconf do FileUtils.mkdir(File.dirname(extconf)) unless File.directory?(File.dirname(extconf)) File.open(extconf, "w") do |io| io.write(<<-EOF) @@ -36,12 +33,7 @@ create_makefile("redcloth_scan") EOF end - end - - Rake::RagelExtensionTask.new("redcloth_scan", gemspec) do |ext| - if ENV['RUBY_CC_VERSION'] - ext.cross_compile = true - ext.cross_platform = ['i386-mingw32', 'i386-mswin32-60'] - end - end end + +Rake::RagelExtensionTask.new("redcloth_scan", gemspec) do |ext| +end \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tasks/gems.rake new/tasks/gems.rake --- old/tasks/gems.rake 1970-01-01 01:00:00.000000000 +0100 +++ new/tasks/gems.rake 1970-01-01 01:00:00.000000000 +0100 @@ -1,37 +0,0 @@ -Rake::Task['build'].prerequisites.unshift('compile') - -namespace :build do - desc "Generate Windows binary gems" - task :win do - unless File.directory?(File.expand_path('~/.rake-compiler')) - STDERR.puts <<-EOM - - You must install Windows rubies to ~/.rake-compiler with: - - rake-compiler cross-ruby VERSION=1.8.6-p398 - # (Later 1.9.1 patch levels don't compile on mingw) - rake-compiler cross-ruby VERSION=1.9.1-p243 - EOM - exit(1) - end - # rvm and mingw ruby versions have to match to avoid errors - sh "rvm ruby-1.8.6-p398@redcloth rake cross compile RUBY_CC_VERSION=1.8.6" - sh "rvm ruby-1.9.1-p243@redcloth rake cross compile RUBY_CC_VERSION=1.9.1" - # This will copy the .so files to the proper place - sh "rake cross native gem RUBY_CC_VERSION=1.8.6:1.9.1" - end - - desc 'Generate JRuby binary gem' - task :jruby do - sh "rvm jruby@redcloth rake java gem" - end - - desc "Build ruby, windows, and jruby gems into the pkg directory" - task :all => [ - :clobber, - "rvm:spec", - :jruby, - :win, - :build - ] -end \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tasks/ragel_extension_task.rb new/tasks/ragel_extension_task.rb --- old/tasks/ragel_extension_task.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/tasks/ragel_extension_task.rb 2016-05-24 02:29:39.000000000 +0200 @@ -42,17 +42,14 @@ { 'scan' => { 'c' => "#{@ext_dir}/redcloth_scan.c", - 'java' => "#{@ext_dir}/RedclothScanService.java", 'rb' => "#{@ext_dir}/redcloth_scan.rb" }, 'inline' => { 'c' => "#{@ext_dir}/redcloth_inline.c", - 'java' => "#{@ext_dir}/RedclothInline.java", 'rb' => "#{@ext_dir}/redcloth_inline.rb" }, 'attributes' => { 'c' => "#{@ext_dir}/redcloth_attributes.c", - 'java' => "#{@ext_dir}/RedclothAttributes.java", 'rb' => "#{@ext_dir}/redcloth_attributes.rb" } }[machine][lang] @@ -88,7 +85,6 @@ def host_language_flag { 'c' => 'C', - 'java' => 'J', 'rb' => 'R' }[lang] end @@ -96,7 +92,6 @@ def preferred_code_style { 'c' => 'T0', - 'java' => nil, 'rb' => 'F1' }[lang] end @@ -117,11 +112,5 @@ "c" end end - class JavaRagelExtensionTask < JavaExtensionTask - include RagelGenerationTasks - - def lang - "java" - end - end + end \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tasks/release.rake new/tasks/release.rake --- old/tasks/release.rake 1970-01-01 01:00:00.000000000 +0100 +++ new/tasks/release.rake 2016-05-24 02:29:39.000000000 +0200 @@ -1,15 +1,16 @@ namespace :release do - desc 'Upload all packages and tag git' - task :all => ['build:all', :release, :push_native_gems] + desc 'Push all gems to rubygems.org' + # git tag and push tag + # git tag vx.x.x + # git push --follow-tags + # branch into stable vx.x branch + # change version in version.rb + # update changelog + # run rake test - desc 'Push all gems to rubygems.org (gemcutter)' - task :push_native_gems do - Dir.chdir('pkg') do - Dir['*.gem'].select {|g| g =~ /\w+-[^-]+-\w+.gem/ }.each do |gem_file| - sh("gem push #{gem_file}") - end - end + task :gem do + sh("gem build redcloth.gemspec") + sh("gem push RedCloth-*.gem") end end -Rake::Task['release'].prerequisites.unshift('build') \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tasks/rvm.rake new/tasks/rvm.rake --- old/tasks/rvm.rake 1970-01-01 01:00:00.000000000 +0100 +++ new/tasks/rvm.rake 2016-05-24 02:29:39.000000000 +0200 @@ -1,12 +1,14 @@ +require 'rvm' + namespace :rvm do - RVM_RUBIES = ['jruby-1.5.6' , 'ruby-1.8.6-p398', 'ruby-1.9.1-p243', 'ruby-1.9.2-p136', 'ree-1.8.7-2010.02'] + RVM_RUBIES = ['ruby-1.8.6-p398', 'ruby-1.9.1-p243', 'ruby-1.9.2-p136', 'ruby-2.2.3p173'] RVM_GEMSET_NAME = 'redcloth' task :setup do unless @rvm_setup rvm_lib_path = "#{`echo $rvm_path`.strip}/lib" - $LOAD_PATH.unshift(rvm_lib_path) unless $LOAD_PATH.include?(rvm_lib_path) + #$LOAD_PATH.unshift(rvm_lib_path) unless $LOAD_PATH.include?(rvm_lib_path) require 'rvm' require 'tmpdir' @rvm_setup = true @@ -21,7 +23,7 @@ # gets confused when locked to java and running ruby and vice-versa. STDERR << RVM.run('bundle update').stderr - result = RVM.perform_set_operation(:rake) + result = RVM.run("rake test") STDOUT << result.stdout STDERR << result.stderr end ++++++ gem2rpm.yml ++++++ --- /var/tmp/diff_new_pack.Iyt4eU/_old 2016-05-29 03:13:50.000000000 +0200 +++ /var/tmp/diff_new_pack.Iyt4eU/_new 2016-05-29 03:13:50.000000000 +0200 @@ -71,8 +71,6 @@ --- :summary: Textile parser for Ruby :license: MIT -:patches: - 0001-Filter-out-javascript-links-when-using-filter_html-o.patch: -p1 :sources: - rubygem-RedCloth-rpmlintrc - series
![https://travis-ci.org/jgarber/redcloth.svg"](https://travis-ci.org/jgarber/redcloth.svg"){kind=link}
![https://codeclimate.com/github/jgarber/redcloth/badges/gpa.svg"](https://codeclimate.com/github/jgarber/redcloth/badges/gpa.svg"){kind=link}