Hello community, here is the log from the commit of package rubygem-i18n.2379 for openSUSE:12.3:Update checked in at 2013-12-23 14:39:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/rubygem-i18n.2379 (Old) and /work/SRC/openSUSE:12.3:Update/.rubygem-i18n.2379.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-i18n.2379" Changes: -------- New Changes file: --- /dev/null 2013-11-25 01:44:08.036031256 +0100 +++ /work/SRC/openSUSE:12.3:Update/.rubygem-i18n.2379.new/rubygem-i18n.changes 2013-12-23 14:39:11.000000000 +0100 @@ -0,0 +1,37 @@ +------------------------------------------------------------------- +Wed Dec 11 17:03:26 UTC 2013 - jmassaguer...@suse.com + +- fix bnc#854166: CVE-2013-4492: rubygem-i18n: missing translation + XSS. File CVE-2013-4492.patch.i18n.0.6.x contains the fix. + +------------------------------------------------------------------- +Fri Aug 31 14:59:22 UTC 2012 - co...@suse.com + +- updated to version 0.6.1, no changelog + +------------------------------------------------------------------- +Fri Aug 3 07:49:10 UTC 2012 - co...@suse.com + +- remove no longer necessary suffix + +------------------------------------------------------------------- +Tue Jul 31 11:44:56 UTC 2012 - jreidin...@suse.com + +- use new gem2rpm to provide correct dependencies for activesupport + +------------------------------------------------------------------- +Fri Mar 23 10:59:56 UTC 2012 - sasc...@suse.de + +- Spec file cleanup: + * Factory preparation + +------------------------------------------------------------------- +Tue Aug 16 12:33:53 UTC 2011 - mrueck...@suse.de + +- change license header to list MIT and Ruby license (bnc#712385) + +------------------------------------------------------------------- +Mon Jun 20 12:33:57 UTC 2011 - mrueck...@suse.de + +- initial package of the 0.6 branch (0.6.0) + New: ---- CVE-2013-4492.patch.i18n.0.6.x i18n-0.6.1.gem rubygem-i18n.changes rubygem-i18n.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-i18n.spec ++++++ # # spec file for package rubygem-i18n # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-i18n Version: 0.6.1 Release: 0 %define mod_name i18n %define mod_full_name %{mod_name}-%{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: ruby-macros >= 1 Url: http://github.com/svenfuchs/i18n Source: %{mod_full_name}.gem Source1: CVE-2013-4492.patch.i18n.0.6.x Summary: New wave Internationalization support for Ruby License: MIT and Ruby Group: Development/Languages/Ruby %description New wave Internationalization support for Ruby. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %package testsuite Summary: Test suite for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description testsuite Test::Unit or RSpec files, useful for developers. %prep #gem_unpack #if you need patches, apply them here and replace the # with a % sign in the surrounding lines #gem_build %build %install %gem_install -f pushd %{buildroot}%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version} patch -p1 < %{S:1} popd %files %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ %exclude %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test %{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/ %files testsuite %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test %changelog ++++++ CVE-2013-4492.patch.i18n.0.6.x ++++++ diff --git a/lib/i18n/exceptions.rb b/lib/i18n/exceptions.rb index c0cf438..669d4cd 100644 --- a/lib/i18n/exceptions.rb +++ b/lib/i18n/exceptions.rb @@ -1,3 +1,5 @@ +require 'cgi' + module I18n # Handles exceptions raised in the backend. All exceptions except for # MissingTranslationData exceptions are re-thrown. When a MissingTranslationData @@ -45,8 +59,9 @@ module I18n end def html_message - key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize } - %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>) + key = CGI.escape_html titleize(keys.last) + path = CGI.escape_html keys.join('.') + %(<span class="translation_missing" title="translation missing: #{path}">#{key}</span>) end def keys @@ -63,6 +78,13 @@ module I18n def to_exception MissingTranslationData.new(locale, key, options) end + + protected + + # TODO : remove when #html_message is removed + def titleize(key) + key.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize } + end end include Base -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
