Fix for CVE-2012-1098.

- Fix for CVE-2012-1099.
author: Bohuslav Kabrda <bkabrda@redhat.com> 2012-03-06 07:06:12 +0100
committer: Bohuslav Kabrda <bkabrda@redhat.com> 2012-03-06 07:06:12 +0100
commit: be86fa33f687a877ce052404fb018eae6ae9f892 (patch)
tree: 78d5e38104d7fb4f19874e16524cb21e45654384
parent: 270805a16e721fa2c4b13c41e5d239e87413b451 (diff)
download: rubygem-actionpack-be86fa33f687a877ce052404fb018eae6ae9f892.tar.gz
rubygem-actionpack-be86fa33f687a877ce052404fb018eae6ae9f892.tar.xz
rubygem-actionpack-be86fa33f687a877ce052404fb018eae6ae9f892.zip
3 files changed, 120 insertions, 1 deletions
diff --git a/actionpack-safe-buffer-slice-fix.patch b/actionpack-safe-buffer-slice-fix.patch
new file mode 100644
index 0000000..3eaca8d
--- /dev/null
+++ b/actionpack-safe-buffer-slice-fix.patch
@@ -0,0 +1,44 @@
+From 00e632de2bde61425142ef8edc408e8d21ff9134 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson@gmail.com>
+Date: Wed, 29 Feb 2012 16:37:30 -0800
+Subject: [PATCH] Squashed commit of the following:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 917fd1a03845f4eedaccbc338f9d7524e98d45ee
+Author: José Valim <jose.valim@gmail.com>
+Date:   Wed Feb 29 22:30:51 2012 +0100
+
+    Ensure [] respects the status of the buffer.
+
+commit 6adc41789017682306181e3db5b30337fe450bcc
+Author: Akira Matsuda <ronnie@dio.jp>
+Date:   Mon Feb 13 17:57:05 2012 +0900
+
+    use AS::SafeBuffer#clone_empty for flushing the output_buffer
+
+commit e50ee96a0b37e7c5adfc555edd402ad04cc159f1
+Author: Akira Matsuda <ronnie@dio.jp>
+Date:   Mon Feb 13 17:54:58 2012 +0900
+
+    add AS::SafeBuffer#clone_empty
+---
+ .../lib/action_view/helpers/capture_helper.rb      |    2 +-
+ .../core_ext/string/output_safety.rb               |   50 ++++++++++++-------
+ activesupport/test/safe_buffer_test.rb             |   46 ++++++++++++++++--
+ 3 files changed, 74 insertions(+), 24 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/capture_helper.rb b/actionpack/lib/action_view/helpers/capture_helper.rb
+index cbc660d..c91e4c1 100644
+--- a/actionpack/lib/action_view/helpers/capture_helper.rb
++++ b/actionpack/lib/action_view/helpers/capture_helper.rb
+@@ -179,7 +179,7 @@ module ActionView
+       def flush_output_buffer #:nodoc:
+         if output_buffer && !output_buffer.empty?
+           response.body_parts << output_buffer
+-          self.output_buffer = output_buffer[0,0]
++          self.output_buffer = output_buffer.respond_to?(:clone_empty) ? output_buffer.clone_empty : output_buffer[0, 0]
+           nil
+         end
+       end
diff --git a/actionpack-select-options-XSS-fix.patch b/actionpack-select-options-XSS-fix.patch
new file mode 100644
index 0000000..f0211c0
--- /dev/null
+++ b/actionpack-select-options-XSS-fix.patch
@@ -0,0 +1,61 @@
+From 5b4082fddf3412aef6c085fbb2a13fd3bbc75f4e Mon Sep 17 00:00:00 2001
+From: Sergey Nartimov <just.lest@gmail.com>
+Date: Mon, 20 Feb 2012 15:41:17 -0800
+Subject: [PATCH] fix output safety issue with select options
+
+---
+ .../lib/action_view/helpers/form_options_helper.rb |    6 +++---
+ .../test/template/form_options_helper_test.rb      |    9 ++++++++-
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb
+index 082647f..949b02a 100644
+--- a/actionpack/lib/action_view/helpers/form_options_helper.rb
++++ b/actionpack/lib/action_view/helpers/form_options_helper.rb
+@@ -596,13 +596,13 @@ module ActionView
+       private
+         def add_options(option_tags, options, value = nil)
+           if options[:include_blank]
+-            option_tags = "<option value=\"\">#{html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
++            option_tags = content_tag('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags
+           end
+           if value.blank? && options[:prompt]
+             prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select')
+-            option_tags = "<option value=\"\">#{html_escape(prompt)}</option>\n" + option_tags
++            option_tags = content_tag('option', prompt, :value => '') + "\n" + option_tags
+           end
+-          option_tags.html_safe
++          option_tags
+         end
+     end
+ 
+diff --git a/actionpack/test/template/form_options_helper_test.rb b/actionpack/test/template/form_options_helper_test.rb
+index 6656420..9ca4bf6 100644
+--- a/actionpack/test/template/form_options_helper_test.rb
++++ b/actionpack/test/template/form_options_helper_test.rb
+@@ -432,7 +432,7 @@ class FormOptionsHelperTest < ActionView::TestCase
+ 
+   def test_select_under_fields_for_with_string_and_given_prompt
+     @post = Post.new
+-    options = "<option value=\"abe\">abe</option><option value=\"mus\">mus</option><option value=\"hest\">hest</option>"
++    options = "<option value=\"abe\">abe</option><option value=\"mus\">mus</option><option value=\"hest\">hest</option>".html_safe
+ 
+     output_buffer = fields_for :post, @post do |f|
+       concat f.select(:category, options, :prompt => 'The prompt')
+@@ -536,6 +536,13 @@ class FormOptionsHelperTest < ActionView::TestCase
+     )
+   end
+ 
++  def test_select_escapes_options
++    assert_dom_equal(
++      '<select id="post_title" name="post[title]">&lt;script&gt;alert(1)&lt;/script&gt;</select>',
++      select('post', 'title', '<script>alert(1)</script>')
++    )
++  end
++
+   def test_select_with_selected_nil
+     @post = Post.new
+     @post.category = "<mus>"
+-- 
+1.7.6
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 61e6799..b76cdd8 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -7,7 +7,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 3.0.11
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -36,6 +36,14 @@ Patch2: actionpack-tests-fix.patch
 
 Patch3: actionpack-downgrade-dependencies.patch
 
+# Fixes CVE-2012-1098
+# https://bugzilla.redhat.com/show_bug.cgi?id=799275
+Patch4: actionpack-safe-buffer-slice-fix.patch
+
+# Fixes CVE-2012-1099
+# https://bugzilla.redhat.com/show_bug.cgi?id=799276
+Patch5: actionpack-select-options-XSS-fix.patch
+
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
 Requires: rubygem(activemodel) = %{version}
@@ -94,6 +102,8 @@ pushd .%{gem_instdir}
 %patch0 -p0
 %patch1 -p0
 %patch2 -p0
+%patch4 -p2
+%patch5 -p2
 
 # create missing symlink
 pushd test/fixtures/layout_tests/layouts/
@@ -165,6 +175,10 @@ rake test --trace
 
 
 %changelog
+* Tue Mar 06 2012 Bohuslav Kabrda <bkabrda@redhat.com> - 1:3.0.11-2
+- Fix for CVE-2012-1098.
+- Fix for CVE-2012-1099.
+
 * Tue Jan 31 2012 Bohuslav Kabrda <bkabrda@redhat.com> - 1:3.0.11-1
 - Rebuilt for Ruby 1.9.3.
 - Updated to ActionPack 3.0.11.
author	Bohuslav Kabrda <bkabrda@redhat.com>	2012-03-06 07:06:12 +0100
committer	Bohuslav Kabrda <bkabrda@redhat.com>	2012-03-06 07:06:12 +0100
commit	be86fa33f687a877ce052404fb018eae6ae9f892 (patch)
tree	78d5e38104d7fb4f19874e16524cb21e45654384
parent	270805a16e721fa2c4b13c41e5d239e87413b451 (diff)
download	rubygem-actionpack-be86fa33f687a877ce052404fb018eae6ae9f892.tar.gz rubygem-actionpack-be86fa33f687a877ce052404fb018eae6ae9f892.tar.xz rubygem-actionpack-be86fa33f687a877ce052404fb018eae6ae9f892.zip